-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not download dependencies from insecure sources #17945
Comments
I believe we do have and check SHA512 hashes for all dependencies. |
Since we do SHA512 hash checks, I don't think the transport matters. |
Correct, all dependencies are checked for integrity via SHA512 hashes: https://github.com/JuliaLang/julia/tree/master/deps/checksums. The transport should not need to be encrypted. |
we could change any of the urls to https if that doesn't break anything, I doubt anyone would notice a difference. would have to remove the insecure/ |
|
Good catch! @vtjnash points out that objconv is the only dependency that's not versioned, so upstream changes frequently without warning. We probably need to rehost that particular download. |
Even though 99% of those building Julia probably receive their libraries from Yggdrasil, this should be easy enough to fix this and close.
|
dsfmt and lapack should be picked up from github. I'll check the others as well. |
* Update non-BB dsfmt build to match with the BB one. Update URLs to https Fix #17945 * Add -DDSFMT_SHLIB
* Update non-BB dsfmt build to match with the BB one. Update URLs to https Fix JuliaLang#17945 * Add -DDSFMT_SHLIB
Currently, Julia downloads dependencies from insecure connections in many cases (
http://
orgit://
). This allows for a man-in-the-middle attack, resulting in total compromise of the developer's system.The only solution is to ensure that all downloads are fetched via secure
https://
connections (with strict TLS certificate checking) and (ideally) have SHA512 hashes as well.The text was updated successfully, but these errors were encountered: