rcj4747
commented
5 years ago Additionally, log messages throughout indicate installation of packages like git even if the installer will be skipping installation due to an existing binary.
Edit: I see this particular comment is already covered in issue #49
Summary The installer adds a Personal Package Archive ppa:git-core/ppa without disclosing this to the user. There are 3 issues 1) trust/security, 2) unspecified requirements, and 3) broken install logic.
Trust/Security Adding the PPA violates user trust and exposes users of this CLI to an attack vector. Ubuntu users are strongly cautioned "Only add software repositories from sources that you trust! Third-party software repositories are not checked for security or reliability by Ubuntu members, and may contain software which is harmful to your computer."
Explicit Version Requirements The PPA for git-core is added which will install the latest upstream git version. This is performed without respect to the current version of git installed on the system. Nowhere is a minimum version for git specified. If we knew what the minimum required version for git we might not need to diverge from the version shipped in the Linux distribution. And if the installed/distro version was too old you could install from the distro version and prompt the user to decide if they want to trust a 3rd party PPA.
Broken Install Logic After adding the PPA the git install logic doesn't even install the newer git as long as some version of git is present. So this is adding an untrusted software source to my workstation, not explicitly updating to the software from the PPA, and I'll get a version bump as some point in the future when I update packages and have no connection of that to this installer. Furthermore, you never remove the PPA in the uninstall script.
The addition of a PPA without consent is troubling. It is not clear that the absolute latest version of git is actually needed (or what I lose if I don't allow a non-distro git release). But combined with issue #44 "No checksum validation of downloaded files" and this being an unsigned installer which instructs the user to curl from the internet and pipe to sh projects a lack of concern about security.
Steps to reproduce (include tooling version, platform, etc)
Operating System Specify: (MacOS, Linux, Windows) Ubuntu Linux 19.04
Supporting details (Logs, stack traces, images, etc. Wrap in
<detail> ... </detail>tags as appropriate) No logs; I won't run the installer.Development "done" checklist