Re: Scripts that run insecurely-downloaded code

[Paul Wise <pabs@debian.org>]

On Fri, May 1, 2020 at 7:12 PM Rebecca N. Palmer wrote:

> Around 200 packages [0] include upstream scripts that download code via
> (non-secure) http, then run it without an integrity check.

A lot of these appear to be in documentation, dependency installation
scripts (such as in docker) or continuous integration scripts.

> How should this be dealt with?

Review each one manually. Report security issues for things that end
up in a .deb to upstream security contacts along with CVEs for each
issue that warrants the fixes. The upstream security reports should
probably get a Debian report too, as many upstreams will be
un(der)maintained. For CI, Dockerfiles, documentation issues probably
just an upstream pull request.

> - (imperfect) Lintian check based on [0]?

Probably better added to per-language static analysis tools like
ShellCheck etc. I don't think lintian is the place to do static
analysis, that should be done by upstream developers either on their
dev machines or in their CI and possibly by distro packagers when
analysing new upstream releases. check-all-the-things aims to make it
easy and useful for devs/packagers to run all the available tools.

https://github.com/collab-qa/check-all-the-things/

-- 
bye,
pabs

https://wiki.debian.org/PaulWise