Closed Cryptophobia closed 6 years ago
From @bacongobbler on August 25, 2016 14:55
The problem right now is that the install script is hosted by Github Pages, which does not support SSL. For the time being, the best way to prevent MITM attacks and to use SSL for installing the client is to either
curl
matches https://github.com/deis/deis.io/blob/gh-pages/deis-cli/install-v2.shcurl -o deis https://storage.googleapis.com/workflow-cli/v2.3.0/deis-v2.3.0-linux-amd64
curl https://raw.githubusercontent.com/deis/deis.io/gh-pages/deis-cli/install-v2.sh | bash
instead.Hope this helps :)
From @Joshua-Anderson on August 25, 2016 15:25
@slack Would it be possible to move this script to deis.com? I guess that would close source the script, but we could also move it to a subdomain like what we do for helm classic and get.helm.sh
.
From @croemmich on August 25, 2016 18:12
Could you move the source to the documentation repository? If I'm not mistaken, that gets built and hosted on deis.com which has ssl. The script doesn't really do that much and is only every referenced from the documentation.
From @bacongobbler on August 25, 2016 19:4
I think that'd be reasonable since deis.com is a private repo due to licensing issues with the blog posts. It would allow contributors to continue providing updates and enhancements to the script and we get it backed by SSL. Problem is that the URL would then be https://deis.com/docs/workflow/deis-cli/install-v2.sh which would be a little too long to type out. Optimally if it were hosted by deis.com it would be preferred to have it at something like https://deis.com/install-v2.sh
From @croemmich on August 27, 2016 0:16
Personally, I'll probably always copy and paste it so length doesn't matter much to me. As far as your deis.com brand goes, https://deis.com/install-v2.sh
would definitely be optimal.
From @bacongobbler on September 19, 2016 20:54
We're planning on a site-wide migration over to deis.com so this will eventually happen. The ticket for doing this is behind closed doors (so to speak) so there's no public announcement on when that'll happen, but there is a migration plan for deis.io content to move to deis.com.
This isn't something we can implement within this release though, so I'll remove the milestone. I'm also removing the priority as there is a workaround for users who are concerned about MITM attacks:
curl https://raw.githubusercontent.com/deis/deis.io/gh-pages/deis-cli/install-v2.sh | bash
From @rvadim on December 21, 2016 4:1
Download of 2.3.0 works fine, but latest versions not actually works
$ curl -o deis https://storage.googleapis.com/workflow-cli/v2.9.1/deis-v2.9.1-linux-amd64
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 127 100 127 0 0 224 0 --:--:-- --:--:-- --:--:-- 225
/ $ cat deis
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>/ #
/ $ curl https://storage.googleapis.com/workflow-cli/v2.9.1/deis-v2.9.1-linux-amd64
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>/ #
/ $
/ $ curl https://storage.googleapis.com/workflow-cli/v2.9.0/deis-v2.9.0-linux-amd64
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>/ #
/ $
/ $ curl https://storage.googleapis.com/workflow-cli/v2.8.0/deis-v2.8.0-linux-amd64
<?xml version='1.0' encoding='UTF-8'?><Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message></Error>/ #
From @mboersma on December 21, 2016 15:58
@rvadim that URL isn't correct, it should be in the "workflow-cli-release" directory. Try this one:
$ curl -o deis https://storage.googleapis.com/workflow-cli-release/v2.9.1/deis-v2.9.1-linux-amd64
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9021k 100 9021k 0 0 14.1M 0 --:--:-- --:--:-- --:--:-- 14.1M
From @rvadim on December 22, 2016 4:15
@mboersma Thank you.
We moved this cli download script to this Github home repo and using Google Storage to host the cli binaries so this issue is closed via https://github.com/teamhephy/workflow-cli/pull/34
From @croemmich on August 25, 2016 5:20
The download script listed in the docs (http://deis.io/deis-cli/install-v2.sh) is currently being served over a non-ssl connection allowing a MITM attack to replace the script and fetch a rogue client binary. That'd be all sorts of bad...
Copied from original issue: deis/workflow-cli#200