[Pharo-users] Securely downloading Pharo

Peter Uhnák i.uhnak at gmail.com
Tue May 3 18:54:29 EDT 2016


I guess you could download it from the Jenkins job
https://ci.inria.fr/pharo/job/Pharo-5.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/

although the job itself downloads over http from files.pharo.org… but
Jenkins should be fine enough if you are worried about MitM between you and
Pharo.

For SHA you still need a secure connection assuming the website wouldn't
get compromised,
or digitally signed releases assuming the signing won't be misconfigured,
or the keys won't get compromised.

But I agree that this should be solved, or at least improved; but then
again whole smalltalkhub doesn't use https and you are sending your
credentials in plaintext over the network (have fun committing from a hotel
room wifi)… security through obscurity can be incredibly efficient.

Of course that means that we need someone with the time and knowledge that
can invest effort into this.

Peter

On Wed, May 4, 2016 at 12:33 AM, Wilfred Hughes <me at wilfred.me.uk> wrote:

> Is there any way of downloading Pharo securely?
>
> I'm trying to download Pharo itself over HTTPS, so I know I can trust the
> data:
>
> $ wget https://files.pharo.org/platform/Pharo4.0-linux.zip
> --2016-05-02 22:44:34--
> https://files.pharo.org/platform/Pharo4.0-linux.zip
> Resolving files.pharo.org (files.pharo.org)... 128.93.162.72
> Connecting to files.pharo.org (files.pharo.org)|128.93.162.72|:443...
> connected.
> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol
> Unable to establish SSL connection.
>
> The excellent pharo zeroconf script doesn't seem available over HTTPS
> either:
>
> $ curl https://get.pharo.org/vm50
> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol
>
> Looking at the script itself, it's downloading files over HTTP from
> files.pharo.org and executing them without verifying. I've explored
> files.pharo.org, but I can't see any signatures or hashes (e.g.
> sha256sum) of any of the files.
>
> The pharo homepage is largely available at https://pharo.org/
> (although some of the styling is missing due to being served over
> HTTP).
>
> Have I missed something? Would it be possible to provide HTTPS and/or
> sha256sums for downloads?
>
>
> Wilfred
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pharo.org/pipermail/pharo-users_lists.pharo.org/attachments/20160504/2f870098/attachment.html>


More information about the Pharo-users mailing list