coreutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] cksum: add --check-stream=CHECKSUM flag

From: Akihiro Suda
Subject: Re: [PATCH] cksum: add --check-stream=CHECKSUM flag
Date: Mon, 16 Dec 2024 03:12:07 +0900 
Hi Pádraig,

> Similar functionality was discussed a long time ago as listed at:
> https://www.gnu.org/software/coreutils/rejected_requests.html#checksum
> specifically https://bugs.gnu.org/13243

This doesn't seem similar.
My proposal is about verifying the checksum, while the rejected
proposal from 2012 was about producing the checksum.

> Now I do agree checking the stream is more concise with this option
> than using existing tools, but I'm not sure it's warranted.
> With existing tools you'd have:
>
>    tmpf=$(mktemp) && curl -fs https://example.com/install.sh > "$tmpf" \
>    && sha256sum --status --check <(echo deadbeef  -) < "$tmpf" && sh "$tmpf"; 
> rm "$tmpf"

Yes, but this is too complicated and ugly.
I have never seen this pattern actually used in the wild.

> BTW I don't fully understand the use case. I presume it's not for security
> as if one could compromise the install.sh, presumably one could
> compromise the checksum in the instructions. So I'm presuming it's
> for extra resiliency or something?

The instructions are often duplicated to third-party documents, blogs,
books, etc., and also archived in web.archive.org.
So there is a huge chance that the compromise of the checksum can be detected.

Also, the --check-stream option should be useful for fetching content
from raw.githubusercontent.com in a more trustworthy way.

* Before:  curl https://raw.githubusercontent.com/ORG/REPO/**COMMIT_HASH**/FILE
* After:     curl
https://raw.githubusercontent.com/ORG/REPO/**TAG_NOT_HASH**/FILE |
sha256sum --check-stream=CHECKSUM

The point is that `COMMIT_HASH` may not belong to `ORG/REPO`
(surprisingly), while `TAG_NOT_HASH` always belongs to `ORG/REPO`.

Demo:

    $ curl 
https://raw.githubusercontent.com/coreutils/coreutils/3f14424117fe112c3a4688f245cb7749a7a70a4f/DEMO-20241216
    Demo file for the discussion in the "[PATCH] cksum: add
--check-stream=CHECKSUM flag" thread.
    (https://lists.gnu.org/archive/html/coreutils/2024-12/msg00005.html)

    This file will be visible via
<https://raw.githubusercontent.com/coreutils/coreutils/.../DEMO-20241216>.

    However, this file does not really belong to the
<https://github.com/coreutils/coreutils> repo.

Regards,
Akihiro Suda
reply via email to
[Prev in Thread] Current Thread [Next in Thread]