caml-list - the Caml user's mailing list
 help / Atom feed
From: Edwin Török <edwin+ml@etorok.eu>
To: caml-list@inria.fr
Subject: [Caml-list]  Build-/Installation-Tools - not enogh of them?
Date: Mon, 3 Dec 2018 00:16:32 +0000
Message-ID: <97acc819-6c68-3a0d-e05a-fda0a6e75bf7@etorok.eu> (raw)
In-Reply-To: <7429727.XKSIZ6bzdz@agaric>

On 30/11/2018 16:31, Louis Gesbert wrote:
>> - John F Carr, 27/11/2018 13:40 -
>> I have a related request.  I am not a trusting person.  I do not like "curl | sudo sh" type installation methods.
> You're not the only one :)
> Some notes on opam's security model:
>
> [...]
> - we do advertise `curl | sh` on the installation page as the easiest entry point, but the script is quite trivial and only uses root to copy to your prefix; it's very easy to fetch the binary by hand from Github if you prefer not to run it, and of course, you can also build from source using the bootstrap scripts.


Malicious attacks aren't the only reason why 'curl | sh' is dangerous,
it lacks basic integrity checks before execution:

* the curl download could be interrupted due to any number reasons, and
then the shell will attempt to execute the incomplete lines. Most of the
time that is harmless, but what if the script contained a 'rm -rf
${FOO}/${BAR}' that gets truncated to 'rm -rf ${FOO}/', such truncation
scenarios are probably not tested by a CI

* the server could reply with something else than your file, not
necessarily due to malicious reasons. Consider what would happen if
github has a hiccup and shows replies with https://github.com/503.html
that gets piped into the shell, which attempts to execute it: are we
sure it doesn't have any unintended consequences (or someone might put a
joke about rm in one of the error pages some day)


A slightly better approach would be:

curl -sL --fail
https://raw.githubusercontent.com/ocaml/opam/master/shell/install.sh -o
install-opam.sh && sh install-opam.sh


Although curl's manpage says that --fail is not fail-safe, and it could
still return success for a 401 error sometimes.


This command would solve the concerns above but then you'd have to keep
the webpage and the repo in sync:

curl -sL
https://raw.githubusercontent.com/ocaml/opam/master/shell/install.sh -o
install.sh-opam.tmp && echo
'0ebdb94df8940f838727bd12728d778a4a67e8006db3df330b4e0171c7f29a81 
install.sh-opam.tmp' | sha256sum -c && mv install.sh-opam.tmp
install-opam.sh && sh install-opam.sh

Perhaps the checksum file could be hosted in the repo, and point people
to run the script from a particular tag on the opam repo (to avoid race
conditions between fetching the checksum file and the file itself).


In the end I'm not sure if the added complication is worth it, might be
easier to just point people to the releases page where the install.sh
could be downloaded from and executed.

If you do plan to keep 'curl | sh', I'd suggest to include at least the
--fail from above.


Best regards,

--Edwin



-- 
Caml-list mailing list.  Subscription management and archives:
https://sympa.inria.fr/sympa/arc/caml-list https://inbox.ocaml.org/caml-list
Forum: https://discuss.ocaml.org/
Bug reports: http://caml.inria.fr/bin/caml-bugs

      parent reply index

Thread overview: 70+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-26 10:15 Oliver Bandel
2018-11-26 16:41 ` Yawar Amin
2018-11-26 16:58   ` Julia Lawall
2018-11-26 17:16     ` Yawar Amin
2018-11-26 20:33       ` Julia Lawall
2018-11-26 20:48         ` Yawar Amin
2018-11-26 20:54           ` Julia Lawall
2018-11-26 21:19             ` Yawar Amin
2018-11-26 21:29               ` Julia Lawall
2018-11-26 22:16                 ` SP
2018-11-27  5:24                   ` Malcolm Matalka
2018-11-28  0:21                     ` SP
2018-11-27  6:11                   ` Julia Lawall
2018-11-27  8:46                     ` SF Markus Elfring
2018-11-28  0:04                     ` SP
2018-11-27  9:27                 ` SF Markus Elfring
2018-11-27 10:08                   ` Julia Lawall
2018-11-27 10:28                     ` [Caml-list] Build-/Installation-Tools - not enough " SF Markus Elfring
2018-11-27 10:34                       ` Julia Lawall
2018-11-27 11:05                         ` Jean-Francois Monin
2018-11-27 11:11                           ` Kakadu
2018-11-27 13:19                             ` Malcolm Matalka
2018-11-28  1:53                               ` Francois Berenger
2018-11-28 15:37                             ` Ian Zimmerman
2018-11-27 13:07                     ` [Caml-list] Build-/Installation-Tools - not enogh " Jean-Marc Alliot
2018-12-06 12:21               ` Richard W.M. Jones
2018-12-06 16:11                 ` Yawar Amin
2018-12-06 20:18                   ` Richard W.M. Jones
2018-12-07  7:31                     ` Daniel Bünzli
2018-12-07  7:45                       ` [Caml-list] What happened to the 'ancient' library for OCaml? Francois Berenger
2018-12-07  8:24                         ` Richard W.M. Jones
2018-12-07  8:27                       ` [Caml-list] Build-/Installation-Tools - not enogh of them? Richard W.M. Jones
2018-12-07  9:01                         ` Daniel Bünzli
2018-12-07 13:22                       ` Stéphane Glondu
2018-12-08  0:58                         ` Daniel Bünzli
2018-12-13 23:45                           ` SP
2018-12-11  2:47                         ` Francois Berenger
2018-12-07 13:12                     ` Malcolm Matalka
2018-11-27 14:33             ` Anil Madhavapeddy
2018-11-27 14:36     ` Gerd Stolpmann
2018-11-30 16:01   ` Louis Gesbert
2018-11-26 22:44 ` Jaap Boender
2018-11-26 22:54   ` Simon Cruanes
2018-11-27 13:29     ` Oliver Bandel
2018-11-27 13:45       ` [Caml-list] Build-/Installation tools - not enough " SF Markus Elfring
2018-11-27 15:06       ` [Caml-list] Build-/Installation-Tools - not enogh " Simon Cruanes
2018-11-27 15:49         ` Oliver Bandel
2018-11-27 16:27           ` Daniel Bünzli
2018-11-27 17:46             ` Jaap Boender
2018-11-28 11:48               ` Jeremie Dimino
2018-12-01 15:12                 ` [Caml-list] How to start with the curren toolset? Hendrik Boom
2018-12-01 17:07                   ` Ian Zimmerman
2018-12-02 15:27                   ` Daniel Bünzli
2018-12-02 23:36                     ` David Allsopp
2018-12-03  2:19                     ` [Caml-list] let's give a try at opam-bundle Francois Berenger
2018-12-02 17:44                   ` [Caml-list] confusing message in opam installer Hendrik Boom
2018-12-02 17:50                     ` Julia Lawall
2018-12-05 19:09                       ` Raja Boujbel - OCamlPro
2018-11-27 16:27           ` [Caml-list] Build-/Installation tools - not enough of them? SF Markus Elfring
2018-11-27 17:11           ` [Caml-list] Build-/Installation-Tools - not enogh " Markus Mottl
2018-11-30 12:41             ` [Caml-list] <DKIM> " Vu Ngoc San
2018-12-07 15:19             ` [Caml-list] " oliver
2018-11-27 16:52       ` Hendrik Boom
2018-11-27 14:11     ` Jaap Boender
2018-11-27  2:33   ` Francois Berenger
2018-11-27 13:31     ` Oliver Bandel
2018-11-27 13:40 ` John F Carr
2018-11-30 16:33   ` Louis Gesbert
2018-12-01  5:01     ` Louis Roché
2018-12-03  0:16     ` Edwin Török [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=97acc819-6c68-3a0d-e05a-fda0a6e75bf7@etorok.eu \
    --to=edwin+ml@etorok.eu \
    --cc=caml-list@inria.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

caml-list - the Caml user's mailing list

Archives are clonable: git clone --mirror https://inbox.ocaml.org/caml-list

AGPL code for this site: git clone https://public-inbox.org/ public-inbox