From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= Subject: bug#34125: Installation script needs to be secured with a gpg signature Date: Fri, 18 Jan 2019 16:23:01 +0100 Message-ID: <20190118162301.52eaeb12@alma-ubu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/D7MBdenhVprfjivowLdr_vR"; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:50340) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkW04-0006wo-Bf for bug-guix@gnu.org; Fri, 18 Jan 2019 10:24:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gkW03-0007xh-FW for bug-guix@gnu.org; Fri, 18 Jan 2019 10:24:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:37645) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gkW03-0007xY-Cq for bug-guix@gnu.org; Fri, 18 Jan 2019 10:24:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gkW01-0007aF-OX for bug-guix@gnu.org; Fri, 18 Jan 2019 10:24:03 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([209.51.188.92]:50023) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkVz7-0006AA-Fv for bug-guix@gnu.org; Fri, 18 Jan 2019 10:23:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gkVz6-0006nU-MA for bug-guix@gnu.org; Fri, 18 Jan 2019 10:23:05 -0500 Received: from m4s11.vlinux.de ([83.151.27.109]:40366 helo=bjoernhoefling.de) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkVz6-0006kX-GF for bug-guix@gnu.org; Fri, 18 Jan 2019 10:23:04 -0500 Received: from alma-ubu (pD951FD4A.dip0.t-ipconnect.de [217.81.253.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bjoernhoefling.de (Postfix) with ESMTPSA id CEA163F964 for ; Fri, 18 Jan 2019 16:23:01 +0100 (CET) List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 34125@debbugs.gnu.org --Sig_/D7MBdenhVprfjivowLdr_vR Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I was looking at the installation video from Laura (not yet public) and wondered about that: We just download the installation script: $ wget https://.../guix-install.sh Then we go on directly executing that script. Shouldn't that be save-garded by a PGP-signature too? Because if it is not, the user could be tricked into a script that downloads a "bad" Guix installation tarball. That's what we are always criticising about others wget-scripts that install whatever to the user. WDYT? Bj=C3=B6rn --Sig_/D7MBdenhVprfjivowLdr_vR Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQiGUP0np8nb5SZM4K/KGy2WT5f/QUCXEHvVQAKCRC/KGy2WT5f /VfvAJ9KbqNvMkpP6Jr9OoS3t7eRI7rLNwCfbwHosiBhxm6UMP+QYxLGe6KHhHE= =uUSC -----END PGP SIGNATURE----- --Sig_/D7MBdenhVprfjivowLdr_vR--