Thanks for the info. I've checked the rvm's install guide at https://rvm.io/rvm/install, and it seems that the install script itself at the https://get.rvm.io is not verified by gpg, the gpg keys is for the rvm packages' verify.
At the link https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install, it gives a way to sign installing script itself(https://docs.sandstorm.io/en/latest/install/#option-3-pgp-verified-install). Also I checked by default opnfv.org is hosted as https. Follow sandstorm.io's way, when we finally release the script, we put it to https://get.opnfv.org/ephrates/quickstart.sh, the script's signature file to https://get.opnfv.org/ephrates/quickstart.sh.sig, the pgp key at https://raw.githubusercontent.com/opnfv/releng/master/keys/release-keyring.gpg Then for those who do not trust https, can use below commands to use quickstart.sh scrpt. ```bash curl https://raw.githubusercontent.com/opnfv/releng/master/keys/release-keyring.gpg | \ gpg --import wget https://get.opnfv.org/ephrates/quickstart.sh wget https://get.opnfv.org/ephrates/quickstart.sh.sig gpg --verify quickstart.sh.sig quickstart.sh bash quickstart.sh ``` Those who trust https or at least trust github can still use: ```bash curl https://get.opnfv.org/ephrates/quickstart.sh | bash ``` or ```bash wget https://raw.githubusercontent.com/opnfv/releng/ephrates/quickstart/quickstart.sh bash quickstart.sh ``` Is it ok? Best Regards, Qi Liang ________________________________ From: Luke Hinds [[email protected]] Sent: Friday, June 30, 2017 17:52 To: liangqi (D) Cc: [email protected]; [email protected]; [email protected] Subject: Re: [opnfv-tech-discuss] [Infra][Pharos][Releng][Octopus] Proposal to implement installers' quickstart wrapper scripts Some articles on risks: https://sysdig.com/blog/friends-dont-let-friends-curl-bash/ https://www.seancassidy.me/dont-pipe-to-your-shell.html https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install The safest way to do this is using GPG with --recv-key and --verify, I am sure with some creativity its possible to get it into one line. I believe rvm do this. On Fri, Jun 30, 2017 at 4:06 AM, liangqi (D) <[email protected]<mailto:[email protected]>> wrote: Thanks for pointing out this security issue. I think curl | bash install is the easiest way to deploying a system, and with minimum dependency. Could you please some examples on how to use checksum to insure the script is securely executed. I saw at the head of https://get.docker.com/ has the info like: ```bash # This script is meant for quick & easy install via: # $ curl -fsSL get.docker.com<http://get.docker.com> -o get-docker.sh # $ sh get-docker.sh # # For test builds (ie. release candidates): # $ curl -fsSL test.docker.com<http://test.docker.com> -o test-docker.sh # $ sh test-docker.sh # # NOTE: Make sure to verify the contents of the script # you downloaded matches the contents of install.sh # located at https://github.com/docker/docker-install # before executing. ``` Best Regards, Qi Liang ________________________________ From: Luke Hinds [[email protected]<mailto:[email protected]>] Sent: Thursday, June 29, 2017 18:32 To: liangqi (D) Cc: [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: [opnfv-tech-discuss] [Infra][Pharos][Releng][Octopus] Proposal to implement installers' quickstart wrapper scripts Hi, Don't want to detract from the topic, but please do not use curl | bash, its dangerous and if opnfv.org<http://opnfv.org> is every compromised, scripts like this could be used to back door all the PODS and test sites deployed by end users. If deploying a system this way, then use a checksum (with sha256 or stronger) to first to insure the script has not been tampered with (I have examples if some are needed). Cheers, Luke On Thu, Jun 29, 2017 at 10:54 AM, liangqi (D) <[email protected]<mailto:[email protected]>> wrote: Hi, In OPNFV we have 4 installers in Danube release, we will have more in the next release. Each of them supports multiple scenarios and has different install user steps. This is quite confusing and difficult to use, especially for the newbies. In releng we already have scripts to trigger all installers' deploy and test, but the scripts are CI oriented, not user oriented. So I proposal to implement wrapper scripts in releng to provide easy way for people to try opnfv. With minimum requirement(a server with Ubuntu 14.04/16.04 or CentOS7 installed and with internet connectivity), without checking detail installers' install guide, just run one command you will get your environment ready. The simplest way to install opnfv environment will be like: `curl https://get.opnfv.org/ephrates/quickstart.sh | bash`. For each installer we may have one command deploy like: `curl https://get.opnfv.org/ephrates/compass/quickstart.sh | bash` Basic virtual deploy workflows: 1. Run command (e.g. `curl https://get.opnfv.org/ephrates/quickstart.sh | bash`) 2. Check environment 3. Fetch supported installers and select one installer 4. Generate the deploy command and execute 5. Verify the deployed environment 6. Deploy success For BareMetal deployment the workflow are almost the same, the only different is you need prepare physical servers/switches, connect the cables, setup the switches, create a pod-descriptor file, and run the deploy command with the pod-descriptor file. The attached slide illustrate the initial idea, which was shared by Justin at the OPNFV Summit in Beijing. Here is the initial script patch: https://gerrit.opnfv.org/gerrit/#/c/36711/ @Uli, I saw you've sent the latest infra working group meeting agenda in the mailing list. Could you please include the topic to the infra working group meeting agenda. Welcome feedback, comments, discuss here or at the infra working group meeting. Best Regards, Qi Liang _______________________________________________ opnfv-tech-discuss mailing list [email protected]<mailto:[email protected]> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss -- Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat e: [email protected]<mailto:[email protected]> | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44 12 52 36 2483 -- Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat e: [email protected]<mailto:[email protected]> | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44 12 52 36 2483
_______________________________________________ opnfv-tech-discuss mailing list [email protected] https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
