[libre-riscv-dev] Rustup security

[Jacob Lifshay]

On Fri, Mar 13, 2020, 03:13 Luke Kenneth Casson Leighton <lkcl at lkcl.net>
wrote:

> On Fri, Mar 13, 2020 at 8:25 AM Jacob Lifshay <programmerjake at gmail.com>
> wrote:
>
> > it's similar to installing firefox on windows, where you download and run
> > the executable.
>
> which says it all.
>
> as an aside: when i analysed and derived the security requirements
> that went into debian's package distribution design, it was
> *SEVENTEEN* separate and distinct very specific requirements, any one
> of which, if not complied with, completely and utterly destroyed the
> security chain of package integrity.
>
> https://github.com/rust-lang/rustup#security
>
> "rustup is secure enough for the non-paranoid, but it still needs
> work. rustup performs all downloads over HTTPS, but does not yet
> validate signatures of downloads."
>
> here's the good and the bad:
>
> 1). bad: it is seriously demeaning to use the phrase "non-paranoid" -
> to ACCUSE potential users of rust of "being paranoid".  can i suggest,
> jacob, raising that as a severe and high-priority issue with the rust
> community to get that removed effective immediate?
>

https://github.com/rust-lang/rustup/issues/2262

I don't have permissions to set severity or priority, though I did make a
comment.

>
> 2). bad: relying on HTTPS simply makes the website itself a
> high-priority hacking target.  HTTPS verifies the *channel*, *not* the
> contents.
>

yeah.


> 3). good: at least they recognise that signature validation is critical.
>
> 4). bad: unfortunately they don't describe - at all - how they intend
> to tackle this, and i can pretty much guarantee that if they haven't
> thought about it fully, they *will* get it wrong.  even copying
> something like Redhat package distribution or archlinux distribution,
> they'll get it wrong.
>

They actually do in the list of github issues linked from the above linked
security section:
https://github.com/rust-lang/rustup/issues?q=is%3Aopen+is%3Aissue+label%3Asecurity

Jacob