|
From: Adam N. <an...@so...> - 2019-03-14 21:07:59
|
Hello, I'm looking for a secure way to download the Valgrind source tarballs, or to verify their hashes. Right now it looks like the whole Valgrind web site, including the official downloads, is only available over HTTP (yet is also available over IPv6). So downloads could be tampered with in transit, and probably shouldn't be installed on any systems that need to be secure. (In my case, I'm trying to profile programs on a system that has access to controlled-access genomics data, which needs to be protected.) I've found that I can clone https://sourceware.org/git/valgrind.git over a secure connection, but I got that URL from the insecure page, so I'm relying on Sourceware's reputation as a place where malicious software is not hosted. And I'm not following any of the recommended install instructions; I had to manually add in the "s" there. *And* I have to clone the whole git repo when really I just want to install the current release of the program. Can the Valgrind website, or at least the tarball downloads, please be given HTTPS support? Or GPG-signed by someone reputable? Thanks, -Adam |
|
From: John R. <jr...@bi...> - 2019-03-14 21:48:45
|
> *And* I > have to clone the whole git repo when really I just want to install > the current release of the program That is by design. If *you* want to get the bits that way, then *you* must build valgrind. Besides, the repo is not large, and building it is not long. Someone whose email address ends in .ucsc.edu should have no resource problems. If the goal is "install the current release" with the least hassle, then you should consider installing the current release from a Linux distribution such as Fedora or Debian. The .rpm or .deb is "signed by someone reputable". It may even have some bugs fixed already. |
|
From: Adam N. <an...@so...> - 2019-03-14 22:35:08
|
In HPC/cluster environments, users often don't have root and can't use traditional package managers; I generally need to build and install software with a --prefix sent to the configure script. It's not that I don't want to build valgrind; I do want to build it from source. But I want to have some assurance that the source I got is the source everyone else got, given that I trust the valgrind project. What I don't want to have to do is to audit the whole codebase myself after each download/clone. The recommended clone command on http://valgrind.org/downloads/repository.html should be `git clone https://sourceware.org/git/valgrind.git`, and the mirror clone command should be changed to `git clone https://repo.or.cz/valgrind.git`, both of which appear to be availabe. I shouldn't have to guess at the existence of a secure way to clone the repo and fix up an insecure default command; it should be documented and the default. If the only secure way to get valgrind's source is to clone the Git repo, then that should be the recommended installation process; the source tarballs should be offered as a backup solution only for people who can't clone the repo (myself excluded). The current releases page at http://valgrind.org/downloads/current.html should thus contain the Git commands to clone the repo and check out the latest tag, above the links to the tarballs. The way the site is laid out now, it looks like the insecure tarball downloads are the recommended way for people not using a package manager to get a copy of valgrind. Is there a repository for the web site where I can propose a patch? On 3/14/19, John Reiser <jr...@bi...> wrote: >> *And* I >> have to clone the whole git repo when really I just want to install >> the current release of the program > That is by design. If *you* want to get the bits that way, then *you* must > build valgrind. > Besides, the repo is not large, and building it is not long. > Someone whose email address ends in .ucsc.edu should have no resource > problems. > > If the goal is "install the current release" with the least hassle, > then you should consider installing the current release from a > Linux distribution such as Fedora or Debian. The .rpm or .deb > is "signed by someone reputable". It may even have some bugs fixed > already. > > > _______________________________________________ > Valgrind-users mailing list > Val...@li... > https://lists.sourceforge.net/lists/listinfo/valgrind-users > |