-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
some packages are downloaded via HTTP ? #73
Comments
On Wed, Oct 14, 2020 at 06:34:26PM -0700, Andrei Mikhailov wrote:
When calling `raco pkg install rash`, it seems that some packages, such as `overeasy` and `mcfly` are downloaded via plain HTTP, no SSL... Could this open a possibility of MITM attack?
Hmm, I hadn't noticed that that package author serves his sources only
over HTTP. Yes, that is cause for concern. However, those packages
are only necessary for some of the code in the demo directory. I've
been thinking of splitting off the demos into a separate `rash-demos`
package to reduce dependencies anyway, so this gives extra motivation.
I rather wish he would make git repositories for those packages
available somewhere -- some of his packages have useful functionality
that I would like to extend (rather than writing a completely new
library myself), but I'm not going to hack on packages with no public
code repository. Even if I were to simply fork, having an existing
repository to fork from would be useful.
Thanks for the heads-up.
|
I've gone ahead and split out the demo code into a separate package. This fixes the issue unless you also install that new package. Since the demos should mostly be used for understanding and writing your own code (they explicitly promise no stability), I don't mind as much that the problem lives on there. However, perhaps if you contact the author of those packages he will consider at least adding https to his server or to the package URLs. |
Thank you ! But, I am surprised that |
And also, |
On Thu, Oct 15, 2020 at 02:08:57PM -0700, Andrei Mikhailov wrote:
Thank you ! But, I am surprised that `raco pkg` allows this to happen... Should I file a bug against `Raco`?
Perhaps. I would want to be warned, at least, that some packages are
being downloaded via http with no ssl.
Also, notice that Neil Van Dyke __does__ have HTTPS on his website. Is it that only packages are over HTTP? Could it be an issue with `Raco` ?
It could be that he just didn't put the `s` in the package URL. That
could fix it. I'll email Neil and perhaps he'll just add the `s`s.
Another possibility for dealing with this problem generally is that
the pkgs.racket-lang.org could flag packages that use raw http like it
flags packages that have build/test errors. This would be less
visible while installing things, but would be better than nothing, and
would be something that package authors would see reducing the
at-a-glance reputability of their packages. I forget who is in charge
of pkgs.racket-lang.org at the moment, or I would @ them.
@mflatt do you want to weigh in on package security?
|
It's rare for packages to be accessed via HTTP, because most are on GitHub, and the package manager rewrites Making |
OK, I submitted racket/racket#3443 |
When calling
raco pkg install rash
, it seems that some packages, such asovereasy
andmcfly
are downloaded via plain HTTP, no SSL... Could this open a possibility of MITM attack?The text was updated successfully, but these errors were encountered: