Security considerations in installation method

[NoraCodes]

Currently, out of all Linux distributions, only Arch Linux has a method for installing rustup via a package manager, and the recommended method is to use a copy/pasted curl | bash. There has been some discussion as to whether this is a security problem. I contend that it is, because even with an SSL-encrypted website as the source for the copy/paste, a quick-thinking social engineer in physical proximity to a target could cause havoc by running Moxie's SSLStrip, hijacking the redirect, and changing the URL being curl'd, effectively giving arbitrary code not only execution but execution with user trust.

I would like to gauge interest in creating self-installer packages for more mainstream distributions such as Debian (Ubuntu, Mint, etc), Fedora/Red Hat, and SUSE - that is, either amending rustup so that it can update itself in a safe and transactional way, or creating a rustup-up (so to speak) that is capable of doing so, and packaging that installer. This would allow inclusion in traceable installation infrastructure, which would solve the security issue, and allow the project to avoid the apparent stagnation that Arduino and other rapidly moving projects have faced.

If there is interest in this proposal, I'd be more than happy to work on it this summer; my school semester ends soon, and I would love to put my time to good use.

[brson]

@SilverWingedSeraph Yes, I would love to have rustup packages for common formats!

Instead of teaching rustup self-updates though to interact with the package manager, I'd rather just disable self-updates when packaged, and let the package manager deal with it the normal way. Does that sound right to you?

[NoraCodes]

I'd be all for that - I was only suggesting other solutions because people
on Reddit didn't like that I didn't when I originally suggested it.

[Diggsey]

It's not a question of liking it, simply that package managers will lag behind latest version, especially given the given the frequency of updates right now.

[jonhoo]

FWIW the Arch Linux package is here, and the relatively straight-forward build script is here. I'm the current maintainer.

[marmoute]

The lack of debian package is bummer. Especially since rustup seems to refuse to install in parallel of the official package. Since rustup seems the only way to get rustfmt this is problematic.

[kinnison]

@marmoute How do you mean by "refuse"? If you mean that rustup-init is unhappy if rustc or cargo is already on the path, then it tells you how to ask it to install regardless (pass -y)

[marmoute]

Well it says "error: rustup cannot be installed alongside Rust. Please uninstall first" Okay, I can overwrite this, but I have ø idea about "is this reasonable override?"

[kinnison]

I think the error message could indeed be improved.

I have a patch which changes it to:

error: it looks like you have an existing installation of Rust at:
error: /usr/bin
error: rustup should not be installed alongside Rust. Please uninstall your existing Rust first.
error: Otherwise you may have confusion unless you are careful with your PATH
error: If you are sure that you want both rustup and your already installed Rust
error: then please restart the installation and pass `-y' to bypass this check.

Would that have made it clearer what you could do?

[kinnison]

(Note, I accidentally marked that commit as closing this issue, it won't, sorry about the noise)

[marmoute]

That much clearer, thanks!
I'll got for -y (because all I need is yo^W rustfmt

[workingjubilee]

@rustbot label: +O-linux