Securely downloading Pharo

> I guess you could download it from the Jenkins job
> https://ci.inria.fr/pharo/job/Pharo-5.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/
>
> although the job itself downloads over http from files.pharo.org… but
> Jenkins should be fine enough if you are worried about MitM between you and
> Pharo.
>
> For SHA you still need a secure connection assuming the website wouldn't get
> compromised,
> or digitally signed releases assuming the signing won't be misconfigured, or
> the keys won't get compromised.
>
> But I agree that this should be solved, or at least improved; but then again
> whole smalltalkhub doesn't use https and you are sending your credentials in
> plaintext over the network (have fun committing from a hotel room wifi)…
> security through obscurity can be incredibly efficient.
>
> Of course that means that we need someone with the time and knowledge that
> can invest effort into this.
>
> Peter
>
> On Wed, May 4, 2016 at 12:33 AM, Wilfred Hughes <[hidden email]> wrote:
>>
>> Is there any way of downloading Pharo securely?
>>
>> I'm trying to download Pharo itself over HTTPS, so I know I can trust the
>> data:
>>
>> $ wget https://files.pharo.org/platform/Pharo4.0-linux.zip
>> --2016-05-02 22:44:34--
>> https://files.pharo.org/platform/Pharo4.0-linux.zip
>> Resolving files.pharo.org (files.pharo.org)... 128.93.162.72
>> Connecting to files.pharo.org (files.pharo.org)|128.93.162.72|:443...
>> connected.
>> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>> protocol
>> Unable to establish SSL connection.
>>
>> The excellent pharo zeroconf script doesn't seem available over HTTPS
>> either:
>>
>> $ curl https://get.pharo.org/vm50
>> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>> protocol
>>
>> Looking at the script itself, it's downloading files over HTTP from
>> files.pharo.org and executing them without verifying. I've explored
>> files.pharo.org, but I can't see any signatures or hashes (e.g.
>> sha256sum) of any of the files.
>>
>> The pharo homepage is largely available at https://pharo.org/
>> (although some of the styling is missing due to being served over
>> HTTP).
>>
>> Have I missed something? Would it be possible to provide HTTPS and/or
>> sha256sums for downloads?
>>
>>
>> Wilfred
>>
>

> On 04 May 2016, at 23:51, Wilfred Hughes <[hidden email]> wrote:
>
> Yep, a SHA sum is less useful if it's on the same site. Still, it
> would be really useful to check the file against accidental
> corruption. It would also be useful for comparing with the checksums
> used by packagers,
> e.g. https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=pharo#n27
> . Users could see if their Pharo package was the same as the package
> on pharo.org.
>
> pharo.org very nearly works with HTTPS, it's just a few JS/CSS files
> that need to stop using absolute URLs (so e.g.
> "http://pharo.org/files/screenshots/pharo-is-yours.png" should be a
> protocol-relative URL
> "//pharo.org/files/screenshots/pharo-is-yours.png").
>
> Is the site hosted somewhere that users can send patches to?
>
> On 3 May 2016 at 23:54, Peter Uhnák <[hidden email]> wrote:
>> I guess you could download it from the Jenkins job
>> https://ci.inria.fr/pharo/job/Pharo-5.0-Update-Step-5-Publish/lastSuccessfulBuild/artifact/
>>
>> although the job itself downloads over http from files.pharo.org… but
>> Jenkins should be fine enough if you are worried about MitM between you and
>> Pharo.
>>
>> For SHA you still need a secure connection assuming the website wouldn't get
>> compromised,
>> or digitally signed releases assuming the signing won't be misconfigured, or
>> the keys won't get compromised.
>>
>> But I agree that this should be solved, or at least improved; but then again
>> whole smalltalkhub doesn't use https and you are sending your credentials in
>> plaintext over the network (have fun committing from a hotel room wifi)…
>> security through obscurity can be incredibly efficient.
>>
>> Of course that means that we need someone with the time and knowledge that
>> can invest effort into this.
>>
>> Peter
>>
>> On Wed, May 4, 2016 at 12:33 AM, Wilfred Hughes <[hidden email]> wrote:
>>>
>>> Is there any way of downloading Pharo securely?
>>>
>>> I'm trying to download Pharo itself over HTTPS, so I know I can trust the
>>> data:
>>>
>>> $ wget https://files.pharo.org/platform/Pharo4.0-linux.zip
>>> --2016-05-02 22:44:34--
>>> https://files.pharo.org/platform/Pharo4.0-linux.zip
>>> Resolving files.pharo.org (files.pharo.org)... 128.93.162.72
>>> Connecting to files.pharo.org (files.pharo.org)|128.93.162.72|:443...
>>> connected.
>>> OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>>> protocol
>>> Unable to establish SSL connection.
>>>
>>> The excellent pharo zeroconf script doesn't seem available over HTTPS
>>> either:
>>>
>>> $ curl https://get.pharo.org/vm50
>>> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>>> protocol
>>>
>>> Looking at the script itself, it's downloading files over HTTP from
>>> files.pharo.org and executing them without verifying. I've explored
>>> files.pharo.org, but I can't see any signatures or hashes (e.g.
>>> sha256sum) of any of the files.
>>>
>>> The pharo homepage is largely available at https://pharo.org/
>>> (although some of the styling is missing due to being served over
>>> HTTP).
>>>
>>> Have I missed something? Would it be possible to provide HTTPS and/or
>>> sha256sums for downloads?
>>>
>>>
>>> Wilfred
>>>
>>
>