[libre-riscv-dev] Rustup security

Jacob Lifshay programmerjake at gmail.com
Fri Mar 13 18:10:50 GMT 2020

On Fri, Mar 13, 2020, 03:13 Luke Kenneth Casson Leighton <lkcl at lkcl.net>

> On Fri, Mar 13, 2020 at 8:25 AM Jacob Lifshay <programmerjake at gmail.com>
> wrote:
> > it's similar to installing firefox on windows, where you download and run
> > the executable.
> which says it all.
> as an aside: when i analysed and derived the security requirements
> that went into debian's package distribution design, it was
> *SEVENTEEN* separate and distinct very specific requirements, any one
> of which, if not complied with, completely and utterly destroyed the
> security chain of package integrity.
> https://github.com/rust-lang/rustup#security
> "rustup is secure enough for the non-paranoid, but it still needs
> work. rustup performs all downloads over HTTPS, but does not yet
> validate signatures of downloads."
> here's the good and the bad:
> 1). bad: it is seriously demeaning to use the phrase "non-paranoid" -
> to ACCUSE potential users of rust of "being paranoid".  can i suggest,
> jacob, raising that as a severe and high-priority issue with the rust
> community to get that removed effective immediate?


I don't have permissions to set severity or priority, though I did make a

> 2). bad: relying on HTTPS simply makes the website itself a
> high-priority hacking target.  HTTPS verifies the *channel*, *not* the
> contents.


> 3). good: at least they recognise that signature validation is critical.
> 4). bad: unfortunately they don't describe - at all - how they intend
> to tackle this, and i can pretty much guarantee that if they haven't
> thought about it fully, they *will* get it wrong.  even copying
> something like Redhat package distribution or archlinux distribution,
> they'll get it wrong.

They actually do in the list of github issues linked from the above linked
security section:


More information about the libre-riscv-dev mailing list