Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not download dependencies from insecure sources #17945

Closed
DemiMarie opened this issue Aug 10, 2016 · 8 comments · Fixed by #38917
Closed

Do not download dependencies from insecure sources #17945

DemiMarie opened this issue Aug 10, 2016 · 8 comments · Fixed by #38917
Assignees
@ViralBShah
Labels
building Build system, or building Julia or its dependencies

Comments

@DemiMarie
Copy link

Currently, Julia downloads dependencies from insecure connections in many cases (http:// or git://). This allows for a man-in-the-middle attack, resulting in total compromise of the developer's system.

The only solution is to ensure that all downloads are fetched via secure https:// connections (with strict TLS certificate checking) and (ideally) have SHA512 hashes as well.
@JeffBezanson
Copy link
Member

I believe we do have and check SHA512 hashes for all dependencies.

@StefanKarpinski
Copy link
Member

Since we do SHA512 hash checks, I don't think the transport matters.

@Keno
Copy link
Member

Keno commented Aug 10, 2016
edited
Loading

Correct, all dependencies are checked for integrity via SHA512 hashes: https://github.com/JuliaLang/julia/tree/master/deps/checksums. The transport should not need to be encrypted.

@tkelman
Copy link
Contributor

tkelman commented Aug 10, 2016

we could change any of the urls to https if that doesn't break anything, I doubt anyone would notice a difference. would have to remove the insecure/-k flag from deps/tools/jldownload too though.

@DemiMarie
Copy link
Author

objconv is not checked. Switching to an HTTPS URL fails with a certificate error.

@Keno
Copy link
Member

Keno commented Aug 10, 2016

Good catch! @vtjnash points out that objconv is the only dependency that's not versioned, so upstream changes frequently without warning. We probably need to rehost that particular download.

@kshyatt kshyatt added the building Build system, or building Julia or its dependencies label Aug 10, 2016
@ViralBShah ViralBShah self-assigned this Dec 17, 2020
@ViralBShah
Copy link
Member

Even though 99% of those building Julia probably receive their libraries from Yggdrasil, this should be easy enough to fix this and close.

➜  deps git:(master) grep http\: *
blas.mk:	$(JLDOWNLOAD) $@ http://www.netlib.org/lapack/$(notdir $@)
grep: checksums: Is a directory
dsfmt.mk:	$(JLDOWNLOAD) $@ http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/SFMT/dSFMT-src-$(DSFMT_VER).tar.gz
mpfr.mk:	$(JLDOWNLOAD) $@ http://www.mpfr.org/mpfr-$(MPFR_VER)/$(notdir $@)
objconv.mk:	$(JLDOWNLOAD) $@ http://www.agner.org/optimize/objconv.zip

@ViralBShah
Copy link
Member

dsfmt and lapack should be picked up from github. I'll check the others as well.

ViralBShah added a commit that referenced this issue Dec 17, 2020
@ViralBShah
Update non-BB dsfmt build to match with the BB one.
11868c3 
Update URLs to https
Fix #17945
@ViralBShah ViralBShah mentioned this issue Dec 17, 2020
Merged
KristofferC pushed a commit that referenced this issue Dec 17, 2020
@ViralBShah
Update non-BB dsfmt build to match with the BB one. (#38917)
b36338a 
* Update non-BB dsfmt build to match with the BB one.
Update URLs to https
Fix #17945

* Add -DDSFMT_SHLIB
KristofferC pushed a commit that referenced this issue Dec 17, 2020
@ViralBShah @KristofferC
Update non-BB dsfmt build to match with the BB one. (#38917)
6f780f3 
* Update non-BB dsfmt build to match with the BB one.
Update URLs to https
Fix #17945

* Add -DDSFMT_SHLIB

(cherry picked from commit b36338a)
staticfloat pushed a commit that referenced this issue Jan 15, 2021
@ViralBShah @staticfloat
Update non-BB dsfmt build to match with the BB one. (#38917)
22dd52e 
* Update non-BB dsfmt build to match with the BB one.
Update URLs to https
Fix #17945

* Add -DDSFMT_SHLIB

(cherry picked from commit b36338a)
ElOceanografo pushed a commit to ElOceanografo/julia that referenced this issue May 4, 2021
@ViralBShah @ElOceanografo
Update non-BB dsfmt build to match with the BB one. (JuliaLang#38917)
65f05ff 
* Update non-BB dsfmt build to match with the BB one.
Update URLs to https
Fix JuliaLang#17945

* Add -DDSFMT_SHLIB
staticfloat pushed a commit that referenced this issue Dec 23, 2022
@ViralBShah @staticfloat
Update non-BB dsfmt build to match with the BB one. (#38917)
92ad408 
* Update non-BB dsfmt build to match with the BB one.
Update URLs to https
Fix #17945

* Add -DDSFMT_SHLIB

(cherry picked from commit b36338a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ViralBShah ViralBShah

Labels
building Build system, or building Julia or its dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update non-BB dsfmt build to match with the BB one. JuliaLang/julia
7 participants
@StefanKarpinski @ViralBShah @JeffBezanson @kshyatt @Keno @tkelman @DemiMarie