Closed scrambleio closed 10 years ago
Yes, you're right. I'll put it into the documentation now.
Note that this won't be truly fixed until we have a mechanism to sign the binaries. Until then---even doing the quick start steps by hand---you're still running an untrusted binary.
I disagree, a binary will never be good enough, even signed.
Now that I read the code, I can deploy from source, but that's what the quick start should be doing in the first place. On Sep 6, 2013 11:15 PM, "DC" notifications@github.com wrote:
Yes, you're right. I'll put it into the documentation now.
Note that this issue won't really be fixed until we have a mechanism to sign the binaries. Until then---even doing the quick start steps by hand---you're still running an untrusted binary.
— Reply to this email directly or view it on GitHubhttps://github.com/dcposch/scramble/issues/12#issuecomment-23972885 .
"a binary will never be good enough, even signed"
Why not?
The plan is to have a deterministic builds. That way:
On Fri, Sep 6, 2013 at 4:08 PM, Chris Glass notifications@github.comwrote:
I disagree, a binary will never be good enough, even signed.
Now that I read the code, I can deploy from source, but that's what the quick start should be doing in the first place. On Sep 6, 2013 11:15 PM, "DC" notifications@github.com wrote:
Yes, you're right. I'll put it into the documentation now.
Note that this issue won't really be fixed until we have a mechanism to sign the binaries. Until then---even doing the quick start steps by hand---you're still running an untrusted binary.
— Reply to this email directly or view it on GitHub< https://github.com/dcposch/scramble/issues/12#issuecomment-23972885> .
— Reply to this email directly or view it on GitHubhttps://github.com/dcposch/scramble/issues/12#issuecomment-23975089 .
Very much agree with @dcposch
I think signed builds are good for adoption, and can be verified. It should, however, also be trivially easy to build from source. (and source should be well documented to be easily inspectable. lib dependencies as well)
I should be able to do any of these:
# pkg mgr download + run (yes, some people will want this)
sudo apt-get install scramble
# download released binary + run
wget https://github.com/dcposch/scramble/archive/scramble-v1.2.3.tar.gz
tar xvf scramble-v1.2.3.tar.gz
cd scramble-v1.2.3
bin/scramble
# clone, build, run
git clone https://github.com/dcposch/scramble
cd scramble
make
bin/scramble
# verify signed binary comes from git tag/hash (both in src or release tarball)
bin/scramble-verify bin/scramble c32a83e449afb15ad6a7e8fdb3d4f312925eb328
bin/scramble-verify bin/scramble c32a83e449afb15ad6a7e8fdb3d4f312925eb329
ERROR: bin/scramble DOES NOT CORRESPOND TO git tag c32a83e449afb15ad6a7e8fdb3d4f312925eb329
ALL YOUR BASE MAY BE COMPROMISED.
To be safe, download new binary from https://github.com/dcposch/scramble
Quick Start created. Just filled in the incomplete sections: https://scramble.io/doc/quick-start.html
The quickstart 404s: https://scramble.io/bin/quick-start.sh Also, I think suggesting to pipe the output of wget in a shell is a very bad way to start a trust relationship with users of a security-focused product.
Why not simply inline the script in the documentation, for a start?