Re: [code] [textadept] Secure download and build

From: Mitchell <m.att.foicica.com>
Date: Mon, 16 Nov 2015 20:52:12 -0500 (EST)

Hi,

On Sun, 1 Nov 2015, xsek.att.openmailbox.org wrote:

> Hi!
>
> I'm using Arch Linux and Textadept from AUR, and latest build of
> textadept-curses does not work because libncursesw.so.5 is missing. One way
> to make it usable is to symlink libncursesw.so.6, but it is dirty hack and
> will probably lead to problems. So the only solution is to build Textadept
> from sources.
>
> And there is a problem, two actually. First, your website doesn't have ssl
> encryption and gpg signed archives, I can't even find hashsums to check its
> integrity. Second, when building external libs are downloaded, and they are
> downloaded a) from unreliable and infamous sources like sourceforge; or b)
> without ssl encryption too. Sometimes I need to run editor as root, and call
> me paranoid, but I find it very insecure with such building environment.
>
> I like Textadept very much, I tried just every other editor, and it is the
> best FMPOV. Could you make it more secure please? :) Or point me to where I'm
> wrong with my logic.

I belive I've managed to support this.

1. Next to each download on the downloads page is a PGP signature.
2. At the top of the downloads page is my PGP public key.
3. Nightly builds also have a signature that you can retrieve by
requesting the filename with a '.asc' extension (you'll have to request
this manually for now).
4. Currently, only the nightlies contain PGP signatures for all dependency
archives, and those signatures are in the "src/" directory. Subsequent
releases of Textadept will contain these signatures.
5. After running `make deps` to fetch dependencies, running `make
verify-deps` will check the known signatures against the downloads. That
way you'll know if your download is exactly what Textadept was compiled
against. IMPORTANT: since only nightly builds contain archive signatures
at the moment, you must run `make deps NIGHTLY=1` to fetch dependencies.
Otherwise, foicica.com's dependencies will not check out.
6. I've updated my self-signed SSL cert in case you want to download
anything else over HTTPS (the PGP key will use HTTPS by default).

Let me know if you have questions or issues.

Cheers,
Mitchell

-- 
You are subscribed to code.att.foicica.com.
To change subscription settings, send an e-mail to code+help.att.foicica.com.
To unsubscribe, send an e-mail to code+unsubscribe.att.foicica.com.
Received on Mon 16 Nov 2015 - 20:52:12 EST

This archive was generated by hypermail 2.2.0 : Tue 17 Nov 2015 - 06:31:09 EST