Skip to content

fix: add apt-fast optimizations #402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 21, 2025
Merged

fix: add apt-fast optimizations #402

merged 1 commit into from
May 21, 2025

Conversation

aminya
Copy link
Owner

@aminya aminya commented May 21, 2025

@aminya aminya merged commit 464f3a0 into master May 21, 2025
49 of 54 checks passed
@aminya aminya deleted the faster-fast-apt branch May 21, 2025 05:45
Rongronggg9
Rongronggg9 reviewed May 23, 2025
View reviewed changes
packages/setup-apt/src/apt-fast.ts
Comment on lines +55 to +56
"https://raw.githubusercontent.com/ilikenwf/apt-fast/master",
"https://raw.githubusercontent.com/Rongronggg9/apt-fast/ac82051792f764220e5e303d4560de0f1952826b",
Copy link

@Rongronggg9 Rongronggg9 May 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adopting my changes.

This might be too much to worry about, but there is a chance that end-users are at risk of a supply chain attack, i.e., if an attacker could hack one of the apt-fast devs' accounts and push a malicious install script to the master branch.

const installer = new DownloaderHelper(
    "https://git.io/vokNn",
    tmpdir(),
    { fileName: "install-apt-fast.sh" },
)

(The shortened link points to the install script in the master branch of apt-fast.)

I am not saying that the risk is very notable, but preventing it is easy and shouldn't increase the maintenance burden much. To reduce the risk, please don't download executables (or scripts) from the Internet without checksumming, and please try not to use an arbitrary (unaudited, downloaded from a non-permanent link without checksumming1, or itself downloading anything in such manner) install script.

The install script itself is quite simple and straightforward - its core procedure only downloads two files from the repo - you can reproduce the same procedure, but adding file checksumming2 and done! This methodology also applies to nala.

(Disclaimer: I haven't used setup-cpp or audited the whole repo. I said for what I saw in packages/setup-apt/src/.)

Footnotes

  1. You can pin a commit hash (commit-id) for the install script (i.e., do not download from master) if you'd like to stick to such an installation method. GitHub rejects any commit hash collision, thus, you may trust the commit hash without explicit checksumming.

  2. Pin a known checksum in your repo and check if the downloaded file matches it.

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion. Yes, here I assumed that the actual repo isn't compromised, and so the script can be trusted. It's a good idea to pin the commit.

@aminya aminya mentioned this pull request May 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rongronggg9 Rongronggg9 Rongronggg9 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aminya @Rongronggg9