-
-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aqua fallback #526
Comments
https://aquaproj.github.io/docs/reference/security/checksum describes the verification the tool does. It isnt comprehensive by default. IMO we should be clear to our users if we are installing an unverifiable binary, so this needs to be part of the design for inclusion of aqua. A lot of their tool definitions contain checksum:
enabled: false Or they omit the "checksum" key entirely, like https://github.com/aquaproj/aqua-registry/blob/main/pkgs/CycloneDX/cyclonedx-cli/registry.yaml and https://github.com/aquaproj/aqua-registry/blob/07ade5a0cd34c199a0f6eb0ff88295f8a23cd8ee/pkgs/ziglang/zig/registry.yaml Here is one with a valid checksum definition I believe they have no fallback to a central storage of previously computed checksums. They provide examples of how users can update their own
The approach that I think makes the most sense is to allow installs of tools that do have a checksum definition in aqua. This might be done by putting the following in the aqua config that install-action creates before handing control over to aqua. require_checksum: true When I tried to install
However that would mean that zig cant be installed using aqua due to lack of checksum, and that was one of the reasons that I was interested in aqua.
However zig does provide checksums at https://ziglang.org/download/ , so for me the first step is to see if the aqua can support those checksums. |
https://aquaproj.github.io/ looks like a decent binary installer, which might be a useful fallback strategy, especially for go tools
Its github action installer is reasonable, but not as mature as install-action, and if aqua is hacked, aqua-installer likely can also be hacked.
https://github.com/aquaproj/aqua-installer/blob/main/action.yaml
https://github.com/aquaproj/aqua-registry/tree/main/pkgs is where its package list exist.
Currently
The text was updated successfully, but these errors were encountered: