[Pharo-users] Securely downloading Pharo

Wilfred Hughes me at wilfred.me.uk
Tue May 3 18:33:51 EDT 2016


Is there any way of downloading Pharo securely?

I'm trying to download Pharo itself over HTTPS, so I know I can trust the data:

$ wget https://files.pharo.org/platform/Pharo4.0-linux.zip
--2016-05-02 22:44:34--  https://files.pharo.org/platform/Pharo4.0-linux.zip
Resolving files.pharo.org (files.pharo.org)... 128.93.162.72
Connecting to files.pharo.org (files.pharo.org)|128.93.162.72|:443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.

The excellent pharo zeroconf script doesn't seem available over HTTPS either:

$ curl https://get.pharo.org/vm50
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Looking at the script itself, it's downloading files over HTTP from
files.pharo.org and executing them without verifying. I've explored
files.pharo.org, but I can't see any signatures or hashes (e.g.
sha256sum) of any of the files.

The pharo homepage is largely available at https://pharo.org/
(although some of the styling is missing due to being served over
HTTP).

Have I missed something? Would it be possible to provide HTTPS and/or
sha256sums for downloads?


Wilfred




More information about the Pharo-users mailing list