search

akavel / up

Ultimate Plumber is a tool for writing Linux pipes with instant live preview
Apache License 2.0
8.39k stars 129 forks source link

Adding checksum to release artifacts #24

Open sarcasticadmin opened 6 years ago

sarcasticadmin commented 6 years ago

Would it be possible to add a checksum.txt for release artifacts going forward? Its nice to be able to verify the builds for extra piece of mind. An example would be something like fabio: https://github.com/fabiolb/fabio/releases

akavel commented 6 years ago

Hmm, I can't seem to find it on the releases page you linked to; but I am on mobile now, maybe it hides something? Can you please give me a direct link to the file, or describe in words where can I find it?

Then, another thing is that it's not really clear what checksums would add over https? If somebody compromises my account to change the files, they can too change the checksums, no? I'm really curious about scenarios where the file could add some value, can you give me some examples?

On an unrelated note: based on your avatar image, are you a plan9 person? If yes, did you maybe try building and running up on plan9? I'm curious if it works and I could be publishing the binaries for this platform too with a reasonable peace of mind...?

sarcasticadmin commented 6 years ago

Sorry the link didnt work for you, I was specifically calling out the latest Fabio release: https://github.com/fabiolb/fabio/releases/tag/v1.5.10

They include the following checksum and sig files in their release: https://github.com/fabiolb/fabio/releases/download/v1.5.10/fabio-1.5.10-go1.11.1.sha256 https://github.com/fabiolb/fabio/releases/download/v1.5.10/fabio-1.5.10-go1.11.1.sha256.sig

Assuming the checksum and other artifacts are legitimate, its nice to have a checksum to validate that all artifacts match a given release. But I agree that if the account gets compromised then just the checksums wont be much good for authenticity. You can additionally sign the checksum file with GPG so users can validate the authenticity of the checksum out of band. An example of this is Hashicorp's go tooling. Their process is laid out here and includes a good example: https://www.hashicorp.com/security.html

Unfortunately Im not a plan9 user. The avatar is more of an inside joke with some old colleagues. I am however a FreeBSD user and I can report that the latest version of up is successfully running on FreeBSD 11.2!