Fetch memcached from GitHub Releases over HTTPS. #5
Conversation
- Avoids fetching directly over plain HTTP from the memcached site directly.
|
I'm a little wary of this given that the official download page link is the one we've encoded here, and given that we explicitly verify the SHA1 (which is hard-coded in the |
|
You're right about the SHA-1—I'd forgotten that would be an issue as the SHA-1 hashes don't match across the archives (as the result of the way the tarballs are packaged). I've raised an issue on the memcached repo itself (memcached/memcached#140) to look at resolving this—downloading a major dependency over vanilla HTTP on every build of the image is very far from ideal. |
|
Since the SHA1 is hard-coded in the Dockerfile itself and not fetched at
build-time from the same server, I'm not sure I understand what makes this
a severe problem rather than just an minor annoyance, but if there were an
official HTTPS place to grab the official release builds, I agree that'd be
preferable. 👍
|
|
The problem is that you can not verify that the tarball you create the SHA1 sum from is unmodified. You may end up hardcode a SHA1 of a modified tarball. I don't think the tarball itself needs to be available from https as long as there is a checksum available from https, or if the tarball is signed. (btw, SHA1 is considered broken now so we should probably use SHA256) |
|
We use the values upstream themselves provide (see update.sh) -- if they
provide sha256, I'm +1 to switching but iirc they do not.
|
|
I'm closing this since there's unfortunately nothing actionable for us to do here (given that we're using the only mechanism upstream currently officially provides), but I look forward to seeing changes when upstream provides more secure means of verification (be that TLS, SHA256, PGP, etc)! 👍 |
|
For reference, the current Line 6 in 3f5295b |
Avoids fetching directly over plain HTTP from the memcached site directly.