-
Notifications
You must be signed in to change notification settings - Fork 884
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider providing an asc file for gpg checking for rustup-init #915
Comments
https://static.rust-lang.org/dist/index.html has |
@steveklabnik this request is for the rustup-init file, I can't see it there. Could it be added to the same process? |
Hello, Has this been looked into? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently all the security checks provided in rustup-init have little gain to new users downloading a file that may have gone rogue etc. This is considered TOFU (Trust On First Use) security.
For a more security aware user, it would be nice to permit them to use rustup still however providing them with the ability to check the asc of the download before running it.
There isn't a .asc described here https://internals.rust-lang.org/t/future-updates-to-the-rustup-distribution-format/4196 for this file either.
Related to #242 (this would still be considered TOFU security).
Basically my goal is to have a reproducible Docker file with verifiable security (I have this here: https://hub.docker.com/r/kingstontime/docker-rust/~/dockerfile/ but without rustup and currently without Cargo)
Perhaps a lightweight bashfile like the dockerfile that can easily be verified would be an option?
The text was updated successfully, but these errors were encountered: