search

swcarpentry / DEPRECATED-bc

DEPRECATED: This repository is now frozen - please see individual lesson repositories.
Other
299 stars 382 forks source link

Updating the path to the Windows installer in the setup instructions #488

Closed gvwilson closed 10 years ago

gvwilson commented 10 years ago

Fixing link to installer after merging #480.

wking commented 10 years ago

On Mon, May 12, 2014 at 08:35:25AM -0700, Greg Wilson wrote:

  • Updating the path to the Windows installer in the setup instructions

Now that we're asking folks to use a binary installer (harder to audit), it's probably a good idea to use HTTPS and post a checksum so folks can check that the installer they're running hasn't been surreptitiously replaced with some nefarious impersonator.

I'm not sure what hashing programs Windows supports out of the box, but msysGit comes with md5sum. Not the greatest hash, but between that and HTTPS, it may be sufficiently secure.

gvwilson commented 10 years ago

Good idea (and one I should have thought of. Can you please PR:

  1. a change to the installation instructions to include the MD5 and switch the link to HTTPS, and
  2. a short note in the lead instructor checklist in the site repo explaining how to verify the MD5?

I don't think it's realistic to ask all the learners to verify the MD5 (especially not before the bootcamp starts), so getting the lead instructor to do it seems like the best alternative (?).

ethanwhite commented 10 years ago

On Tue, May 13, 2014 at 6:26 AM, Greg Wilson notifications@github.com wrote:

I don't think it's realistic to ask all the learners to verify the MD5 (especially not before the bootcamp starts), so getting the lead instructor to do it seems like the best alternative (?).

+1

wking commented 10 years ago

On Tue, May 13, 2014 at 03:26:40AM -0700, Greg Wilson wrote:

Good idea (and one I should have thought of. Can you please PR: [snip suggestions]

Sure. Should I PR against gvwilson:updating-windows-installer-path so you can merge them here before this lands?

  1. a short note in the lead instructor checklist in the site repo explaining how to verify the MD5?

Where should this live? setup/windows-installer/README.md with a link from novice/teaching/01-general.md?

I don't think it's realistic to ask all the learners to verify the MD5 (especially not before the bootcamp starts), so getting the lead instructor to do it seems like the best alternative (?).

Is the lead instructor going to talk the class through it? Or tell them to not run the installer before they show up for the workshop, and then go around and check MD5s on everyone's installer? Neither of those seem particularly likely to me.

It wasn't realistic before to expect them to look through the script looking for exploits. The point is that they should be checking these sorts of things eventually, even if they don't know how yet. We need to at least provide the tools for them to do so if they want. If they follow through and use the suggested check, then good on them. If they feel it's an acceptable risk to ignore the checks, it's their computer. I'm fine just posting the MD5 and leaving it up to them.

gvwilson commented 10 years ago

I would like to go ahead and merge this one, then get a separate PR with the checksum and instructions on checking it - any objections? (cf. #496)

ethanwhite commented 10 years ago

+1 to merge.

On Sunday, May 18, 2014, Greg Wilson notifications@github.com wrote:

I would like to go ahead and merge this one, then get a separate PR with the checksum and instructions on checking it - any objections? (cf. #496https://github.com/swcarpentry/bc/issues/496 )

— Reply to this email directly or view it on GitHubhttps://github.com/swcarpentry/bc/pull/488#issuecomment-43437872 .

wking commented 10 years ago

On Sun, May 18, 2014 at 04:49:23AM -0700, Greg Wilson wrote:

I would like to go ahead and merge this one, then get a separate PR with the checksum and instructions on checking it - any objections?

It looks like we're missing “official” certs for HTTPS:

$ wget https://files.software-carpentry.org/SWCarpentryInstaller.exe --2014-05-20 09:10:38-- https://files.software-carpentry.org/SWCarpentryInstaller.exe Resolving files.software-carpentry.org... 174.136.14.108 Connecting to files.software-carpentry.org|174.136.14.108|:443... connected. ERROR: cannot verify files.software-carpentry.org's certificate, issued by ‘/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=vps1.sensibleadventures.com/emailAddress=ssl@vps1.sensibleadventures.com’: Self-signed certificate encountered. ERROR: certificate common name ‘vps1.sensibleadventures.com’ doesn't match requested host name ‘files.software-carpentry.org’. To connect to files.software-carpentry.org insecurely, use `--no-check-certificate'.

$ wget https://software-carpentry.org/ --2014-05-20 09:18:09-- https://software-carpentry.org/ Resolving software-carpentry.org... 174.136.14.108 Connecting to software-carpentry.org|174.136.14.108|:443... connected. ERROR: cannot verify software-carpentry.org's certificate, issued by ‘/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=vps1.sensibleadventures.com/emailAddress=ssl@vps1.sensibleadventures.com’: Self-signed certificate encountered. ERROR: certificate common name ‘vps1.sensibleadventures.com’ doesn't match requested host name ‘software-carpentry.org’. To connect to software-carpentry.org insecurely, use `--no-check-certificate'.

Does this deserve a separate issue, or can I tack it on here?

gvwilson commented 10 years ago

Please file a separate issue, and I'll ask Mozilla to generate a real cert.