Authenticate deployed artifacts

Description

clojure-tools artifacts are published unauthenticated, which is a security risk, especially for the linux install.

One simple approach would be to output a checksum file and sign the checksum file. I recommend not signing with openssl or pgp, and deferring to a simple tool like signify.

Environment

None

Activity

Show:

Alex MillerJune 25, 2021 at 8:34 PM

The linux script and tar.gz is downloaded via https (and have been as long as I can remember).

It would be useful to provide checksum or signature, but moving this to backlog for now.

Jason WhitlarkNovember 6, 2018 at 2:22 AM

I agree. It would be especially useful to publish it on https://clojure.org/guides/getting_started

The tarball that's downloaded as the base for the script also does not authenticate its source.

Details
Assignee
Alex Miller
Reporter
Ghadi Shayban
Labels
security
Fix versions
Backlog
Priority
Major

Created March 14, 2018 at 8:32 PM

Updated June 25, 2021 at 8:35 PM

Authenticate deployed artifacts

Description

Environment

Activity

Alex MillerJune 25, 2021 at 8:34 PM

Jason WhitlarkNovember 6, 2018 at 2:22 AM

DetailsAssigneeAlex MillerAlex MillerReporterGhadi ShaybanGhadi ShaybanLabelssecurityFix versionsBacklogPriorityMajor

Details

Assignee

Reporter

Labels

Fix versions

Priority

Details
Assignee
Alex Miller
Reporter
Ghadi Shayban
Labels
security
Fix versions
Backlog
Priority
Major