[MacTUG] AUTOPKG and security
Donald Duff-McCracken
dsmccrac at uwaterloo.ca
Tue Jul 3 09:52:33 EDT 2018
To the AutoPKG users out there. Do y’all worry about the security of the packages being downloaded? I am using autopkg, only download from authors that are ‘reputable’, look at the recipies, etc but I wonder sometimes about the security in doing so, especially since it is not that hard to automate the stuff oneself.
For example this grabs the latest firefox.dmg and it would not be that hard to automate it to check regularly to see if there is a new file to download
#!/bin/sh -x
PKG_VENDOR="Mozilla"
PKG_PRODUCT="Firefox_ESR"
PKG_LANGUAGE="ML"
PKG_ID="ch.ethz.mac.pkg.${PKG_VENDOR}_${PKG_PRODUCT}.${PKG_LANGUAGE}"
# Download URL (Version will be filled in later)
PKG_URL="https://download.mozilla.org/?product=firefox-#VERSION#esr-SSL&os=osx&lang=en-US"
# fetch info about current version from website
PKG_VERSION=$(curl -s https://www.mozilla.org/en-US/firefox/new/ | xmllint --html --xpath 'string(/html/@data-esr-versions)' - 2>/dev/null | cut -d' ' -f2 )
# replace placeholder with correct version
PKG_URL=$(echo $PKG_URL | sed -e "s@#VERSION#@$PKG_VERSION@")
# define output name
OUTNAME="${PKG_VENDOR}_${PKG_PRODUCT}_${PKG_VERSION}_${PKG_LANGUAGE}"
# Download Firefox.dmg
curl -Lso "Firefox ${PKG_VERSION}esr.dmg" "$PKG_URL"
This is the meat and potatoes of a script I found here https://github.com/maxschlapfer/MacAdminHelpers/tree/master/MozillaFirefoxPackageBuilder
Anyhow, for the AutoPKG users, what steps do you take to ensure that your pkg you have downloaded is legit?
don
------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
https://uwaterloo.ca/environment-computing/about/people
------------------------------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited. If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20180703/8bce3324/attachment.html>
More information about the MacTUG
mailing list