From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Idea: Install script to better support improving contributor-friendliness of projects Date: Tue, 28 Nov 2017 17:11:15 +0100 Message-ID: <87bmjmxu1o.fsf@gnu.org> References: <311dec57-62fd-a88d-19d4-2eae9041ef97@gmail.com> <87bmjook1w.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43402) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eJiTk-0002hS-Pi for guix-devel@gnu.org; Tue, 28 Nov 2017 11:11:25 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eJiTh-0002CW-Hq for guix-devel@gnu.org; Tue, 28 Nov 2017 11:11:24 -0500 Received: from [2a01:474::1] (port=40082 helo=hera.aquilenet.fr) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eJiTh-0002Bx-AP for guix-devel@gnu.org; Tue, 28 Nov 2017 11:11:21 -0500 In-Reply-To: <87bmjook1w.fsf@netris.org> (Mark H. Weaver's message of "Sun, 26 Nov 2017 15:35:07 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver , Christopher Baines Cc: =?utf-8?B?0J3QuNC60LjRgtCwINCn0YPRgNCw0LXQsg==?= , guix-devel@gnu.org Hello, Mark H Weaver skribis: > =D0=9D=D0=B8=D0=BA=D0=B8=D1=82=D0=B0 =D0=A7=D1=83=D1=80=D0=B0=D0=B5=D0=B2= writes: > >> Here's how I want to use Guix and it is to increase >> contributor-friendliness of a project, so that the user can simply run >> a distribution-independent command to install all dependencies without >> having to hunt for them with `apt` and `dnf` manually. >> >> Unfortunately, Guix itself is not very easy to install, and the >> instructions are full of rather technical stuff like 'systemd' and >> 'upstart'. >> >> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.h= tml >> >> There should be a script like the one Haskell Stack uses: >> >> |curl -sSL https://get.haskellstack.org/ | sh| > > I can understand the appeal of such a convenient approach. However, > this practice of downloading a script via HTTPS and immediately running > it as root without inspection puts you at considerable risk. A > man-in-the-middle with the resources to compromise or bribe *any* > certificate authority in your trust store (the attacker could choose > which one) could acquire a fraudulent certificate to impersonate our > site, and then substitute in a different script than the one we > provided. Quite a few organizations are capable of such an attack > today. > > Therefore, I believe it would be irresponsible for us to promote this > style of installation. Seconded. > However, if there's sufficient interest, and if we could produce a > sufficiently robust "auto-install" script, we could perhaps do something > close to what you suggested. We could provide a script along with a > GnuPG digital signature. We could ask the user to download the script, > acquire our signing key, verify the signature on the script, and then > run the script as root. I while back Chris Baines and someone else (?) had worked on such a script, but I=E2=80=99m not sure what happened. Chris, does that ring a bell? It would be nice to have it in time for the new release. Ludo=E2=80=99.