[Pharo-users] Securely downloading Pharo

Marcus Denker marcus.denker at inria.fr
Fri May 6 03:11:26 EDT 2016


Hi,

Yes. we should have fixed all that loong time ago. The problem is of course
that “we should have fixed” only gets true after “I fixed it”… so will block some
time next week after the release to work on that.

- fix https version of pharo.org.
- setup ssl for all sites
- provide checksum for files.


	Marcus

> On 04 May 2016, at 23:51, Wilfred Hughes <me at wilfred.me.uk> wrote:
> 
> Yep, a SHA sum is less useful if it's on the same site. Still, it
> would be really useful to check the file against accidental
> corruption. It would also be useful for comparing with the checksums
> used by packagers,
> e.g. https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=pharo#n27
> . Users could see if their Pharo package was the same as the package
> on pharo.org.
> 
> pharo.org very nearly works with HTTPS, it's just a few JS/CSS files
> that need to stop using absolute URLs (so e.g.
> "http://pharo.org/files/screenshots/pharo-is-yours.png" should be a
> protocol-relative URL
> "//pharo.org/files/screenshots/pharo-is-yours.png").
> 
> Is the site hosted somewhere that users can send patches to?
> 
> On 3 May 2016 at 23:54, Peter Uhnák <i.uhnak at gmail.com> wrote:
>> I guess you could download it from the Jenkins job
>> https://ci.inria.fr/pharo/job/Pharo-5.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/
>> 
>> although the job itself downloads over http from files.pharo.org… but
>> Jenkins should be fine enough if you are worried about MitM between you and
>> Pharo.
>> 
>> For SHA you still need a secure connection assuming the website wouldn't get
>> compromised,
>> or digitally signed releases assuming the signing won't be misconfigured, or
>> the keys won't get compromised.
>> 
>> But I agree that this should be solved, or at least improved; but then again
>> whole smalltalkhub doesn't use https and you are sending your credentials in
>> plaintext over the network (have fun committing from a hotel room wifi)…
>> security through obscurity can be incredibly efficient.
>> 
>> Of course that means that we need someone with the time and knowledge that
>> can invest effort into this.
>> 
>> Peter
>> 
>> On Wed, May 4, 2016 at 12:33 AM, Wilfred Hughes <me at wilfred.me.uk> wrote:
>>> 
>>> Is there any way of downloading Pharo securely?
>>> 
>>> I'm trying to download Pharo itself over HTTPS, so I know I can trust the
>>> data:
>>> 
>>> $ wget https://files.pharo.org/platform/Pharo4.0-linux.zip
>>> --2016-05-02 22:44:34--
>>> https://files.pharo.org/platform/Pharo4.0-linux.zip
>>> Resolving files.pharo.org (files.pharo.org)... 128.93.162.72
>>> Connecting to files.pharo.org (files.pharo.org)|128.93.162.72|:443...
>>> connected.
>>> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>>> protocol
>>> Unable to establish SSL connection.
>>> 
>>> The excellent pharo zeroconf script doesn't seem available over HTTPS
>>> either:
>>> 
>>> $ curl https://get.pharo.org/vm50
>>> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>>> protocol
>>> 
>>> Looking at the script itself, it's downloading files over HTTP from
>>> files.pharo.org and executing them without verifying. I've explored
>>> files.pharo.org, but I can't see any signatures or hashes (e.g.
>>> sha256sum) of any of the files.
>>> 
>>> The pharo homepage is largely available at https://pharo.org/
>>> (although some of the styling is missing due to being served over
>>> HTTP).
>>> 
>>> Have I missed something? Would it be possible to provide HTTPS and/or
>>> sha256sums for downloads?
>>> 
>>> 
>>> Wilfred
>>> 
>> 
> 





More information about the Pharo-users mailing list