[Pharo-users] Securely downloading Pharo

Wilfred Hughes me at wilfred.me.uk
Wed May 4 17:51:32 EDT 2016


Yep, a SHA sum is less useful if it's on the same site. Still, it
would be really useful to check the file against accidental
corruption. It would also be useful for comparing with the checksums
used by packagers,
e.g. https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=pharo#n27
. Users could see if their Pharo package was the same as the package
on pharo.org.

pharo.org very nearly works with HTTPS, it's just a few JS/CSS files
that need to stop using absolute URLs (so e.g.
"http://pharo.org/files/screenshots/pharo-is-yours.png" should be a
protocol-relative URL
"//pharo.org/files/screenshots/pharo-is-yours.png").

Is the site hosted somewhere that users can send patches to?

On 3 May 2016 at 23:54, Peter Uhnák <i.uhnak at gmail.com> wrote:
> I guess you could download it from the Jenkins job
> https://ci.inria.fr/pharo/job/Pharo-5.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/
>
> although the job itself downloads over http from files.pharo.org… but
> Jenkins should be fine enough if you are worried about MitM between you and
> Pharo.
>
> For SHA you still need a secure connection assuming the website wouldn't get
> compromised,
> or digitally signed releases assuming the signing won't be misconfigured, or
> the keys won't get compromised.
>
> But I agree that this should be solved, or at least improved; but then again
> whole smalltalkhub doesn't use https and you are sending your credentials in
> plaintext over the network (have fun committing from a hotel room wifi)…
> security through obscurity can be incredibly efficient.
>
> Of course that means that we need someone with the time and knowledge that
> can invest effort into this.
>
> Peter
>
> On Wed, May 4, 2016 at 12:33 AM, Wilfred Hughes <me at wilfred.me.uk> wrote:
>>
>> Is there any way of downloading Pharo securely?
>>
>> I'm trying to download Pharo itself over HTTPS, so I know I can trust the
>> data:
>>
>> $ wget https://files.pharo.org/platform/Pharo4.0-linux.zip
>> --2016-05-02 22:44:34--
>> https://files.pharo.org/platform/Pharo4.0-linux.zip
>> Resolving files.pharo.org (files.pharo.org)... 128.93.162.72
>> Connecting to files.pharo.org (files.pharo.org)|128.93.162.72|:443...
>> connected.
>> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>> protocol
>> Unable to establish SSL connection.
>>
>> The excellent pharo zeroconf script doesn't seem available over HTTPS
>> either:
>>
>> $ curl https://get.pharo.org/vm50
>> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>> protocol
>>
>> Looking at the script itself, it's downloading files over HTTP from
>> files.pharo.org and executing them without verifying. I've explored
>> files.pharo.org, but I can't see any signatures or hashes (e.g.
>> sha256sum) of any of the files.
>>
>> The pharo homepage is largely available at https://pharo.org/
>> (although some of the styling is missing due to being served over
>> HTTP).
>>
>> Have I missed something? Would it be possible to provide HTTPS and/or
>> sha256sums for downloads?
>>
>>
>> Wilfred
>>
>




More information about the Pharo-users mailing list