Authenticate deployed artifacts

Description

clojure-tools artifacts are published unauthenticated, which is a security risk, especially for the linux install.

One simple approach would be to output a checksum file and sign the checksum file. I recommend not signing with openssl or pgp, and deferring to a simple tool like signify.

Environment

None

Activity

Show:

Jason Whitlark

November 6, 2018, 2:22 AM

Copy link to comment

I agree. It would be especially useful to publish it on https://clojure.org/guides/getting_started

The tarball that's downloaded as the base for the script also does not authenticate its source.

Assignee

Alex Miller

Reporter

Ghadi Shayban

Labels

security

Approval

None

Patch

None

Priority

Major

Configure