Comments (4)
To keep this thread updated: We're now happily in the Windows Store.
No further immediate improvements are planned from my end. I would like to adopt sigstore at some point, but let's first let others squash the bugs there.
from www.
I'm somewhat 👎 on hashes/PGP - IMO there's not much of a practical security benefit (PGP lacks adoption/UX, hashes can be swapped out). Here's what we're at currently:
- macOS: Main recommendation is
brew install
, which is very nice for us because we don't have to do or worry about anything. Signing the standalone binaries would be nice to have, but then again that's not the recommended install method. - Linux: We have (unsigned) binaries. I'm not quite sure how we can improve this, except by adding a signature that the majority of users won't check.
- Windows: Unsigned installer/binaries. This is where I think we can improve most. Classic code signing would be one option, but maybe we should just try to finally get mitmproxy into the Windows store instead? This would also provide auto-updates, which would be fantastic.
from www.
I think it's always a matter of "do I trust the signer to be responsible with the signing key"? :)
As sysadmin I've used strict SRPs in Windows that require every binary to be signed with Authenticode from specific vendors, and if one can trust the vendors (and Windows ;) it's very effective to keep the average user safe. (Although I admit those are not mitmproxy's target audience.)
You're right about PGP on Linux, though, not many actually go the extra mile and verify the file containing the hashes. But as far as hashes themselves are concerned, personally I think it's very nice to know that one's downloaded file isn't corrupted. (Then again, I also run debsums
periodically, so maybe it's just bit rot paranoia :)
If we opt to build an appx/msix (for the Windows Store or App Installer), we will have to sign anyways. The user also gets the benefit of "permanent" hash checks, thanks to the package's block map getting installed alongside the files.
(Using MSIX and App Installer, we can also provide auto-updates without going through Windows Store btw.)
I'd be happy to look into that, if that's the desired way to go...
from www.
(Using MSIX and App Installer, we can also provide auto-updates without going through Windows Store btw.)
Yes, but we don't want to build any phone-home functionality into mitmproxy (that sadly includes update checks). If the OS is doing that with servers it is talking to anyways, we're fine though.
I'd be happy to look into that, if that's the desired way to go...
Defaulting to the Windows Store would be fantastic IMO. My understanding is that this would then also be signed by Microsoft somehow? At least that's how I remember it. I did try to get us into the Windows store very early on, but that then got stalled for various reasons.
https://github.com/mitmproxy/mitmproxy/tree/main/release/windows-store-experiment
😅
It looks like I cannot easily give you access to manage the store listing, but I'd be happy to collaborate on this in person. :)
from www.
Related Issues (11)
- pathod project link redirects to mitmproxy.org HOT 2
- Reduce tracking on mitmproxy.org
- Firefox: CORS Request Blocked HOT 1
- pathod link on main page is no longer valid HOT 1
- Certificate Expired HOT 1
- List of available downloads not showing HOT 7
- Downloads sorting HOT 2
- Download "Linux Binaries" misses the architecture HOT 1
- "Download" button in main page gives a 404 error HOT 2
- Typo in Mitmproxy 4 release note HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from www.