Add option to not install casks with insecure properties #10380
Comments
vitorgalvao
added
enhancement
core
|
👍 I like the idea. |
|
👍 |
|
I like the idea, however Let's say your threat model considers the brew cask maintainers as trustworthy —which it should if you're using it and have installed it in the first place—, and that you're trying to protect against running software that has been altered by someone actively man-in-the-middling your internet connection. Now, the power of that someone is a really important factor. I will try to keep it realistic and say it's someone who simply wants to play a prank on you, or try to claim your bounty (example). The bounty you see in this example is ฿ 0.8, which amounts to about 182€. It would be irrational for someone trying to claim this bounty to spend more than 182€—otherwise they'd lose money! This is the highest bounty I've personally seen for such an attack so I think it makes sense to use this as a baseline. If anyone is considering a different threat model I'll be glad to discuss. Now let's say you download some software via cask, your download comes from HTTP but gets compared to the checksum the maintainers have personally verified. This happens before any code downloaded is run of course, so I can't see any risk here. All this, provided that you trust the maintainers. Before someone jumps the gun and claims that using https for the download will protect him against a malicious government agent, I'd like to point out that faking an https government is a trivial task for any government in the world. (recent example) Therefore, if you're trying to defend against governments, https can be trivially compromised, a problem, however, exists only when Now, you can see that the burden of having the right hashes and download links for all casks lies to the maintainers, that we all (the users) trust according to the aforementioned threat model. This is a serious issue that I'm not sure has really been tackled even in bigger package management teams like apt-get or yum. There should really be an internal discussion about what casks can be let in, how the download links and checksums are verified, if having a connection from a maintainer to someone who's signed software through the GPG WoT plays an important role, etc. I'm not in a position to critique this, however. Finally, I suggest that brew cask should be thoroughly threat modelled by the maintainers. My quick (personal) threat model example is only a useful start for not jumping the gun where it's not needed. |
|
To clarify, the behavior should work as follows (code A): The behavior should not work as follows (code B): As @gtklocker pointed out, a SHA256 is enough when a link is http. |
|
In code A, shouldn't there be a third case? Ideally every cask should have a https link and a SHA256. |
|
The first case in my code A captures your third case; if the URL is https and there's a valid SHA256 then, necessarily, the URL is https. But to answer your comment, I don't see why an https URL with a SHA256 check is more ideal than just a SHA256 for cask. HTTPS doesn't add any security in this case. (It's nice to have if you expect people to download software outside of cask of course.) |
|
Yes, I was going to raise that point. Having a checksum or GPG verification is more ideal than having a https link. Which bring us back to the point that people have to trust us as maintainers. |
|
Closed in favour of #18831. Checking for |
miccal
removed
core
Something like a
--no-insecureflag (set at runtime or inHOMEBREW_CASK_OPTS) that will notinstalla cask and produce an error message if in the cask (only one needed):urlstarts with anything other thanhttps.sha256is:no_check.Refs #1824 #10377 #7062.
The text was updated successfully, but these errors were encountered: