Installing from release tarball is too hard and not documented

[nirs]

Installing socket_vmnet from brew is extremely easy but insecure so it should never be used. Maybe macports is safe, but I would not install macports for one package. Installing from source is very easy, but requires development tools and checking the latest tag. Installing from release tarball (the common way) is not documented at all.

The safe way to install from a release tarball is:

curl -LO https://github.com/lima-vm/socket_vmnet/releases/download/v1.1.5/socket_vmnet-1.1.5-arm64.tar.gz
sudo mkdir -p /opt/socket_vmnet
sudo tar xvf socket_vmnet-1.1.5-arm64.tar.gz -C /opt/socket_vmnet --strip 3

sudo launchctl bootout system /Library/LaunchDaemons/$SERVICE.plist || true

export SERVICE=io.github.lima-vm.socket_vmnet
sudo cp /opt/socket_vmnet/share/doc/socket_vmnet/launchd/$SERVICE.plist /Library/LaunchDaemons/$SERVICE.plist
sudo launchctl bootstrap system /Library/LaunchDaemons/$SERVICE.plist
sudo launchctl enable system/$SERVICE
sudo launchctl kickstart -kp system/$SERVICE

Fix:

• [ ] document the commands for installing from release tarball (easy)
• [ ] Add install/uninstall scripts - can be used by the Makefile (easy)
• [ ] Add a standard installer package? (more work)

[jandubois]

The plan is to release a "cask" based on https://github.com/Homebrew/homebrew-cask/pull/136271/files in our own Lima "tap" and suggest that for installation.

Once that is in place we will also tighten the requirements in Lima again that socket_vmnet and all directories leading to it must not be writable by anyone but root. Currently it allows admin, which is not secure.

[nirs]

The plan is to release a "cask" based on https://github.com/Homebrew/homebrew-cask/pull/136271/files in our own Lima "tap" and suggest that for installation.

The install script looks good and will make installation easy. But the install script itself if not installed as root, so we cannot really trust it. Another program running as any user on the machine can modify brew install script.

For a standard installer package this is not an issue since it is not installed on the host for long time in a well known location.

It seems that the question what is the official secure way to do this in brew was not answered: https://github.com/Homebrew/homebrew-cask/pull/136271#issuecomment-1323368171

Maybe we need a homebrew issue for this? This affects also packages that do not run as root but use sudo like minikube.

Once that is in place we will also tighten the requirements in Lima again that socket_vmnet and all directories leading to it must not be writable by anyone but root. Currently it allows admin, which is not secure.

Sounds good

[jandubois]

The install script looks good and will make installation easy. But the install script itself if not installed as root, so we cannot really trust it. Another program running as any user on the machine can modify brew install script.

I noticed that the core formulae are no longer installed on the host by default, but loaded from an API, which helps with this issue. When you tap the core libraries there are a bunch that could be attacked:

$ grep -cr sudo.*true /usr/local/Homebrew/Library/Taps/homebrew/homebrew-cask/Casks | grep -v :0 | wc -l
     118

So maybe just having an installer script is the right thing then?

curl http://github.com/…/install.sh | sudo sh

with instructions to audit the install script before running it?

Because I don't see a safe way to do this with brew that would not end up being the same thing.

And maybe the script could also be signed, so users could check the signature before running it. But that opens another can of worms.

[AkihiroSuda]

Can we just recommend make && sudo make install.bin ?

Can we safely assume that almost all users have the Xcode Command Line Tools ?

[nirs]

So maybe just having an installer script is the right thing then?

curl http://github.com/…/install.sh | sudo sh

We can use sudo in the script, since downloading the tarball does not require privileges.

So it will be:

curl http://github.com/…/install.sh | sh

And the interaction can be something like

Do you want to install socket_vmnet service? [N/y] y
Installation requires root privileges.
Password:
✓ Downloading socket_vmnet version 1.1.5 for arm64
✓ Installed socket_vmnet at /opt/socket_vmnet
✓ Started service system/io.github.lima-vm.socket_vmnet

We can support enviroment variables or for version, bridged network or prefix:

curl http://github.com/…/install.sh | VERSION=1.1.5 PREFIX=/usr/local BRIDGE=en0 sh

And maybe the script could also be signed, so users could check the signature before running it. But that opens another can of worms.

You get the script via https, so it you trust github and the root certificates and socket_vmnet maintainers, this should be enough. We also have a SHA256SUMS so you can verify the script before running it.

We can sign the script and the release tarball with gpg and publish the gpg key somewhere but probably 99% of user will not be able to use it.

[nirs]

Can we just recommend make && sudo make install.bin ?

Since our users are developers (otherwise why do you need lima or minikube?) we can assume they already have git.

Can we safely assume that almost all users have the Xcode Command Line Tools ?

Not sure, many developer that want lima for building containers or running application on local clusters do never need for C compiler. They may use python, node, or go.

[chancez]

I'll provide feedback that "install from source" approach doesn't work because while the primary audience may be engineers, there's still a large audience of non-engineers.

My company is full of engineers, but we also have a lot of technical marketing staff, customer support staff, etc, who often do not have any compilers, C, Go or otherwise installed on their system, so this has recently come up as a big roadblock for them, and I'm currently having to write some docs on installing the release binaries from GitHub instead. An install script would probably be a nice addition.