New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get the rvm GPG key via curl from the rvm web side instead of via hkp. #48
Conversation
Rationale: hkp is less reliable if installation is behind a firewall, and the installer might still work even if RVM changes its key. FWIW: The previous code no longer works, as gpg nowadays requires a "0x" prefix in front of the fingerprint.
@mpapis What do you think about the change? |
the problem is with gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 ||
curl -sSL https://rvm.io/mpapis.asc | gpg --import -
|
This is funny... I first had a very similar code But then I thought about it. Thoughts going through my head at that point included:
Neither of these arguments absolutely force doing it this way. The alternative at this point is
Just adding Can you give me a (preferably reasonably non-exotic) scenario where this would actually perform any better? |
"You" meant @mpapis . What do you think? |
Gpg V1 has a bug that prevents download, proper solution to this problem would be detecting Gpg V2 - this can be either gpg2 or gpg on newer systems and use it to download the hkp key, the fallback to curl is an bogus alternative, I was thinking on it and we are targeting beginners here, any kind of info would be to much for them, the most reliable and close to security would be using: gpg2 --recv-keys 0x409B6B1796C275462A1703113804BB82D39DC0E3 ||
curl -sSL https://rvm.io/mpapis.asc | gpg --import - |
We use HTTPS all over the place. You still have not given any argument why avoiding HTTPS in this single, isolated case improves security. I'm still concerned about many people experiencing some three minutes or so of unneeded installation delay in the common situation when they install behind a firewall that disallows hpk. |
Your right, let's just use |
Thanks, @mpapis ! So this is what we already have. Who does the merge? I could do it myself, but it's more stylish if someone else clicks the "merge pull request" - button. |
Thanks both @aknrdureegaesr & @mpapis! |
Don't know what to do |
@johnehueston : With this pull request? Nothing. It has been merged into the If you have questions, one of many things you can do to get them answered: Pull down this repo to your own computer, and find out my private email adress via
and write a email to me. Who knows - I might answer. |
Rationale: hkp is less reliable if installation is behind a firewall,
and the installer might still work even if RVM changes its key.
FWIW: The previous code no longer works, as gpg nowadays requires a
"0x" prefix in front of the fingerprint.