[libre-riscv-dev] next tasks

Luke Kenneth Casson Leighton lkcl at lkcl.net
Fri Mar 13 10:13:06 GMT 2020


On Fri, Mar 13, 2020 at 8:25 AM Jacob Lifshay <programmerjake at gmail.com> wrote:

> it's similar to installing firefox on windows, where you download and run
> the executable.

which says it all.

as an aside: when i analysed and derived the security requirements
that went into debian's package distribution design, it was
*SEVENTEEN* separate and distinct very specific requirements, any one
of which, if not complied with, completely and utterly destroyed the
security chain of package integrity.

https://github.com/rust-lang/rustup#security

"rustup is secure enough for the non-paranoid, but it still needs
work. rustup performs all downloads over HTTPS, but does not yet
validate signatures of downloads."

here's the good and the bad:

1). bad: it is seriously demeaning to use the phrase "non-paranoid" -
to ACCUSE potential users of rust of "being paranoid".  can i suggest,
jacob, raising that as a severe and high-priority issue with the rust
community to get that removed effective immediate?

2). bad: relying on HTTPS simply makes the website itself a
high-priority hacking target.  HTTPS verifies the *channel*, *not* the
contents.

3). good: at least they recognise that signature validation is critical.

4). bad: unfortunately they don't describe - at all - how they intend
to tackle this, and i can pretty much guarantee that if they haven't
thought about it fully, they *will* get it wrong.  even copying
something like Redhat package distribution or archlinux distribution,
they'll get it wrong.

l.



More information about the libre-riscv-dev mailing list