Closed dom96 closed 3 years ago
Immediate thought: how does rustup handle this?
Sign the script and/or publish the checksum somewhere trustworthy, similar to what we do with our binary releases.
Any form of validation would have to be done by the user since if we automate it there's no reason why an attacker can't just remove the verification code.
Cool, easy fix then. I will try to do that todayASAP.
FWIW I don't actually see rustup offering anything like this: https://rustup.rs/. But to be consistent with the sha256 sums we have for Nim releases, I will create one for this script.
Sent to security@nim-lang.org from research@nightwatchcybersecurity.com: