search

luvit / lit

Toolkit for developing, sharing, and running luvit/lua programs and libraries.
http://lit.luvit.io/
Apache License 2.0
246 stars 58 forks source link

Verify signatures on client fetch #13

Open creationix opened 9 years ago

creationix commented 9 years ago

This should prompt the user to install anyway if a package fails verification.

creationix commented 9 years ago

This is mostly implemented now. There are two design issues with verifying in the client:

  1. An user's ssh key may be revoked some time after they publish a package. This will make it impossible for clients to later verify the package.
  2. The client lit database doesn't know the members of groups in the server they are syncing from. Even if they were able to query the list of members from the server, this introduces trust in the server (the exact thing that client verification is trying to avoid).

For now this simply logs a message with either blue or red colouring when importing tags from upstream.

creationix commented 9 years ago

Since this was enabled, we are now having issues where our CI servers are hitting github's rate-limit. Since the verification doesn't buy as much as I originally thought it did, shall we disable this by default and allow people to opt in via a custom config?

rphillips commented 9 years ago

That sounds like a great idea. +1

creationix commented 9 years ago

I was thinking that maybe a useful feature for paranoid/careful users would be a whitelist of trusted authors and only allow installing packages from those authors (and verify the signatures on download) so that you don't have to trust the server. Since we have a fill list of users, we can just try all their keys on group packages and if it's signed by one of them, it will be verified.