Rustup: Security considerations in installation method

Created on 11 May 2016 · 11Comments · Source: rust-lang/rustup

Currently, out of all Linux distributions, only Arch Linux has a method for installing rustup via a package manager, and the recommended method is to use a copy/pasted curl | bash. There has been some discussion as to whether this is a security problem. I contend that it is, because even with an SSL-encrypted website as the source for the copy/paste, a quick-thinking social engineer in physical proximity to a target could cause havoc by running Moxie's SSLStrip, hijacking the redirect, and changing the URL being curl'd, effectively giving arbitrary code not only execution but execution with user trust.

I would like to gauge interest in creating self-installer packages for more mainstream distributions such as Debian (Ubuntu, Mint, etc), Fedora/Red Hat, and SUSE - that is, either amending rustup so that it can update itself in a safe and transactional way, or creating a rustup-up (so to speak) that is capable of doing so, and packaging that installer. This would allow inclusion in traceable installation infrastructure, which would solve the security issue, and allow the project to avoid the apparent stagnation that Arduino and other rapidly moving projects have faced.

If there is interest in this proposal, I'd be more than happy to work on it this summer; my school semester ends soon, and I would love to put my time to good use.

O-linux question security

Source

NoraCodes

👍12

Most helpful comment

FWIW the Arch Linux package is here, and the relatively straight-forward build script is here. I'm the current maintainer.

jonhoo on 13 May 2016

❤2

All 11 comments

@SilverWingedSeraph Yes, I would love to have rustup packages for common formats!

Instead of teaching rustup self-updates though to interact with the package manager, I'd rather just disable self-updates when packaged, and let the package manager deal with it the normal way. Does that sound right to you?

brson on 12 May 2016

I'd be all for that - I was only suggesting other solutions because people
on Reddit didn't like that I didn't when I originally suggested it.

NoraCodes on 12 May 2016

It's not a question of liking it, simply that package managers will lag behind latest version, especially given the given the frequency of updates right now.

Diggsey on 12 May 2016

👍1

FWIW the Arch Linux package is here, and the relatively straight-forward build script is here. I'm the current maintainer.

jonhoo on 13 May 2016

❤2

The lack of debian package is bummer. Especially since rustup seems to refuse to install in parallel of the official package. Since rustup seems the only way to get rustfmt this is problematic.

marmoute on 12 Dec 2019

👍1

@marmoute How do you mean by "refuse"? If you mean that rustup-init is unhappy if rustc or cargo is already on the path, then it tells you how to ask it to install regardless (pass -y)

kinnison on 13 Dec 2019

Well it says "error: rustup cannot be installed alongside Rust. Please uninstall first" Okay, I can overwrite this, but I have ø idea about "is this reasonable override?"

marmoute on 13 Dec 2019

I think the error message could indeed be improved.

I have a patch which changes it to:

error: it looks like you have an existing installation of Rust at:
error: /usr/bin
error: rustup should not be installed alongside Rust. Please uninstall your existing Rust first.
error: Otherwise you may have confusion unless you are careful with your PATH
error: If you are sure that you want both rustup and your already installed Rust
error: then please restart the installation and pass `-y' to bypass this check.

Would that have made it clearer what you could do?

kinnison on 13 Dec 2019

(Note, I accidentally marked that commit as closing this issue, it won't, sorry about the noise)

kinnison on 13 Dec 2019

That much clearer, thanks!
I'll got for -y (because all I need is yo^W rustfmt

marmoute on 13 Dec 2019

@rustbot label: +O-linux