Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check archive md5 sums #169

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Check archive md5 sums #169

wants to merge 2 commits into from

Conversation

frejanordsiek
Copy link

This makes it so that quicklisp checks the MD5 sums of downloaded archives when installing packages. The check is added to the ql-dist:check-local-archive-file function.

I pulled code the MD5 code from the md5 package (see https://pmsf.eu/resources/lisp/MD5.html and https://github.com/pmai/md5), removed the dependency on flexi-streams, split the code between two files to better organize general utilities that would be useful for a future addition of checking of other kinds of checksum, renamed some functions, and some function renamings.

I've tested it on x86-64 Debian Stretch on the following implementations

  • SBCL 1.3.14 (64-bit)
  • ECL 15.3.7 (64-bit)
  • ABCL 1.5.0 on Java 1.8.0 (64-bit)
  • CCL 1.11.5 (32-bit and 64-bit)

@quicklisp
Copy link
Owner

Thank you very much for this pull request, and sorry for the late response. I'm a little hesitant to use the MD5 code as-is because of how it uses internal packages and functionality. I'm also going to add some sha256 download checks "soon" that would make this obsolete. I'm going to keep this PR open and revisit it soon.

@frejanordsiek
Copy link
Author

What you are proposing is better. This was just something that was very quick to put together that did a very minimal check. And it was a very very minimal one. On the upside, with the testing I did, if there was anyone man-in-the-middling me, they at least went to the trouble to make the md5 hashes match.

As for the direction you are going, I have put some thought into it since I dug around a bit. I am going to mention my thoughts on the off chance you missed something.

There are already md5 and sha1 checksums in the releases file. It is just a matter of replacing one of them with sha256 or sha3-256 or whatever and making the checksum be checked for each downloaded file

But then there is still the issue of getting the releases and systems files intact. So if checksums are added to the distinfo.txt for them as well, then, as long as one can get distinfo.txt without it being tampered, one can then get the rest and catch any tampering.

This makes it so that only distinfo.txt must be gotten securely initially and then every update.

I have a couple ideas on how to do just that. Maybe you have other ones or better ones. My ideas are based on the fact that the quicklisp website itself does support https and people can use their browser. If there is a link to the latest distinfo.txt and a checksum of it at the top of the webpage, people could either download the file themselves and insert it into quicklisp, or copy the checksum and then pass it to the quicklisp updating function in CL and then quicklisp will download it and check that the checksum matches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@frejanordsiek @quicklisp