Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[IDEA] Add user feedback to verify integrity of boxes #221

Closed
panique opened this issue Oct 27, 2013 · 3 comments
Closed

[IDEA] Add user feedback to verify integrity of boxes #221

panique opened this issue Oct 27, 2013 · 3 comments

Comments

@panique
Copy link

panique commented Oct 27, 2013

Currently it is - in theory - possible that somebody installs bad stuff in a box and add the infected box to this list (keyloggers that grab your git key/pw for example, please correct me if i'm wrong here). There should be something to verify the "cleanness" of a box, like user ratings etc.
@JonTheNiceGuy
Copy link
Collaborator

Unfortunately, this would only work if we tied a database alongside the webpage, which the stated aim of this was to make things easier for the author of the project by keeping the cruft to a minimum. I would suggest that if someone has put a dodgy box in the list, a PR or issue is submitted to remove the box from the list.

@alexzorin
Copy link

Unfortunate to see this dismissed without much discussion.

It's not a trivial problem that any of the boxes could be substituted at any time with something malicious, or for every 1/n downloads.

Unfortunately, this would only work if we tied a database alongside the webpage

It's not necessarily the case. Box authors could easily digitally sign their images and add the signature to the pull requests (just as an extra to be included with the box URL, a fairly standard practice).

This has many benefits:

  • Ties the contents of the actual box image to the author of the PR
  • Prevents anybody (including the author) from updating the image out-of-band without making a PR to update the signature with the original PGP key.
  • Encourages trustworthy behavior from box authors
  • For people who don't care about the integrity of the boxes, there is no extra work. For people who do care, a simple gpg --verify takes care of it.
  • No software changes. Just allow PRs to include a [link to a] digital signature file.

Most of all, this should be documented clearly to encourage people to do it.

I'd be glad to lend a hand if this sounds good to maintainers.

@JonTheNiceGuy
Copy link
Collaborator

Thanks for the feedback @alexzorin. What you're proposing isn't what the OP proposes. Their suggestion was to have a process to check the "cleanliness" of a box, something which the site's volunteers don't have the resources to implement, or to add ratings which by their nature require a dynamic system that garethr didn't want to implement or maintain.

What you're proposing is closer to #123 ("Add MD5 to each box") to add a way to verify the downloaded box is right. A GPG signature is probably a better idea - all things considered, but given you're suggesting retrospectively adding this to all 246 boxes, I think we might struggle a bit with it.

That said, it's probably better to add the comment to the mentioned issue which closer aligns to this proposal, and we'll see what we can do with it.

@alexzorin alexzorin mentioned this issue Oct 21, 2014
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@panique @JonTheNiceGuy @alexzorin