README gpg guidelines are insufficient #9859
Labels
doc
Issues and PRs related to the documentations.
Comments
|
@raggi can you submit a PR with the suggested change and we can discuss it in the PR |
|
I agree that custom keyrings overall provide better safety guarantees when scripting. However, when doing the verification manually - it is a good practice to see who made the signature. Especially, assuming that people may be added to the authorized release group. |
|
I'm muting the issue now, feel free to respond as you will. Best, raggi |
ypid
added a commit
to ypid/asdf-nodejs
that referenced
this issue
Feb 12, 2017
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/) for why this is important. Related to: asdf-vm/asdf#158 Mitigates: nodejs/node#9859 Mitigates: nodejs/node#6821 Implementing this feature required some rework of the `install` script which is included in this PR. The following other PR are superseded/included in this one: Closes: asdf-vm#15 Closes: asdf-vm#16 Closes: asdf-vm#19 Also note that this PR also updates the base download URL from "http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that before this PR (or asdf-vm#16 which is not merged), binaries where downloaded over plain legacy HTTP! (those binaries where later executed by the user). This is really bad and is fairly easy to exploit! Related to: nvm-sh/nvm#736 Related to: nvm-sh/nvm#793
ypid
added a commit
to ypid/asdf-nodejs
that referenced
this issue
Feb 12, 2017
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/) for why this is important. Related to: asdf-vm/asdf#158 Mitigates: nodejs/node#9859 Mitigates: nodejs/node#6821 Implementing this feature required some rework of the `install` script which is included in this PR. The following other PR are superseded/included in this one: Closes: asdf-vm#15 Closes: asdf-vm#16 Closes: asdf-vm#19 Also note that this PR also updates the base download URL from "http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that before this PR (or asdf-vm#16 which is not merged), binaries where downloaded over plain legacy HTTP! (those binaries where later executed by the user). This is really bad and is fairly easy to exploit! Related to: nvm-sh/nvm#736 Related to: nvm-sh/nvm#793
ypid
added a commit
to ypid/asdf-nodejs
that referenced
this issue
Feb 12, 2017
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/) for why this is important. Related to: asdf-vm/asdf#158 Mitigates: nodejs/node#9859 Mitigates: nodejs/node#6821 Implementing this feature required some rework of the `install` script which is included in this PR. The following other PR are superseded/included in this one: Closes: asdf-vm#15 Closes: asdf-vm#16 Closes: asdf-vm#19 Also note that this PR also updates the base download URL from "http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that before this PR (or asdf-vm#16 which is not merged), binaries where downloaded over plain legacy HTTP! (those binaries where later executed by the user). This is really bad and is fairly easy to exploit! Related to: nvm-sh/nvm#736 Related to: nvm-sh/nvm#793
ypid
added a commit
to ypid/asdf-nodejs
that referenced
this issue
Feb 12, 2017
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/) for why this is important. Related to: asdf-vm/asdf#158 Mitigates: nodejs/node#9859 Mitigates: nodejs/node#6821 Implementing this feature required some rework of the `install` script which is included in this PR. The following other PR are superseded/included in this one: Closes: asdf-vm#15 Closes: asdf-vm#16 Closes: asdf-vm#19 Note that this PR also updates the base download URL from "http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that before this PR (or asdf-vm#16 which is not merged), binaries where downloaded over plain legacy HTTP! (those binaries where later executed by the user). This is really bad and is fairly easy to exploit! Related to: nvm-sh/nvm#736 Related to: nvm-sh/nvm#793
ypid
added a commit
to ypid/asdf-nodejs
that referenced
this issue
Feb 12, 2017
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/) for why this is important. Related to: asdf-vm/asdf#158 Mitigates: nodejs/node#9859 Mitigates: nodejs/node#6821 Implementing this feature required some rework of the `install` script which is included in this PR. The following other PR are superseded/included in this one: Closes: asdf-vm#15 Closes: asdf-vm#16 Closes: asdf-vm#19 Note that this PR also updates the base download URL from "http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that before this PR (or asdf-vm#16 which is not merged), binaries where downloaded over plain legacy HTTP! (those binaries where later executed by the user). This is really bad and is fairly easy to exploit! Related to: nvm-sh/nvm#736 Related to: nvm-sh/nvm#793
ypid
added a commit
to ypid/asdf-nodejs
that referenced
this issue
Feb 12, 2017
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/) for why this is important. Related to: asdf-vm/asdf#158 Mitigates: nodejs/node#9859 Mitigates: nodejs/node#6821 Implementing this feature required some rework of the `install` script which is included in this PR. The following other PR are superseded/included in this one: Closes: asdf-vm#15 Closes: asdf-vm#16 Closes: asdf-vm#19 Note that this PR also updates the base download URL from "http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that before this PR (or asdf-vm#16 which is not merged), binaries where downloaded over plain legacy HTTP! (those binaries where later executed by the user). This is really bad and is fairly easy to exploit! Related to: nvm-sh/nvm#736 Related to: nvm-sh/nvm#793
ypid
added a commit
to ypid/asdf-nodejs
that referenced
this issue
Feb 20, 2017
Please refer to [Verifying Node.js Binaries](https://blog.continuation.io/verifying-node-js-binaries/) for why this is important. Related to: asdf-vm/asdf#158 Mitigates: nodejs/node#9859 Mitigates: nodejs/node#6821 Implementing this feature required some rework of the `install` script which is included in this PR. The following other PR are superseded/included in this one: Closes: asdf-vm#15 Closes: asdf-vm#16 Closes: asdf-vm#19 Note that this PR also updates the base download URL from "http://nodejs.org/dist" to "https://nodejs.org/dist" meaning that before this PR (or asdf-vm#16 which is not merged), binaries where downloaded over plain legacy HTTP! (those binaries where later executed by the user). This is really bad and is fairly easy to exploit! Related to: nvm-sh/nvm#736 Related to: nvm-sh/nvm#793
|
This issue has been inactive for sufficiently long that it seems like perhaps it should be closed. Feel free to re-open (or leave a comment requesting that it be re-opened) if you disagree. I'm just tidying up and not acting on a super-strong opinion or anything like that. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The readme states:
However, this operation will only verify that the file was armored by some previously trusted gpg public key. Any user that trusts more than just the node publishing keys may be vulnerable to packages published by non-nodejs team members.
This process should use
--no-default-keyringand a keyring/key file fit for purpose, along with--verifyThe text was updated successfully, but these errors were encountered: