tarcieri
commented
11 years ago How do you identify where the checksum is located, and how do you prevent attackers from modifying that file after the fact?
Open trans opened 11 years ago
tarcieri
commented
11 years ago How do you identify where the checksum is located, and how do you prevent attackers from modifying that file after the fact?
trans
commented
11 years ago The checksum would be generated on demand from the tag.
Technically we don't even need to calculate the checksum, as the contents of the repo and the gem could be compared directly.
git clone -b v1.0.0 --single-branch git://sub.domain.com/repo.gitThen compare the contents of the gem to make sure it matches the contents of the cloned tag. The checksum is just for convenience of comparison.
Maybe this is too simplistic, but would it be possible to get a checksum for a tag from the repository from which the gem was created? I think all projects today use an scm. Any gem released should also have a tag associated with it. If we can test the gem against the tag then we should know if it is sound --assuming of course both the gem and the repo haven't been compromised, but since they reside on different services that would be much harder to do and developers will likely notice fairly quickly if a repo is tampered with. There's one last thing this idea requires though, and that is a way to keep a trusted mapping of gem -> repo.