search

c9 / install

Cloud9 SSH installer
179 stars 151 forks source link

Security Concern about downloading packages from github #95

Open NGenetzky opened 5 years ago

NGenetzky commented 5 years ago

Context:

DOWNLOAD https://raw.githubusercontent.com/c9/install/master/packages/*

Problem:

  1. Download is not locked down to a particular revision (master)
  2. Download integrity is not verified.

I am no security expert but I would be happy to elaborate on why these are problems if desired.