Require checksums for HTTPS resources

[ferventcoder]

With #112, we started requiring checksums for HTTP/FTP and provided an enabled feature to require checksums for HTTPS as well. If a checksum is missing in these scenarios, it would fail the package.

This switches the feature allowEmptyChecksumsSecure to disabled.

[ferventcoder]

Considering making this one an opt in feature

[ferventcoder]

This is up for discussion, please feel free to weigh in here.

[TheFynx]

👍
A checksum provides positive factors outside of ensuring the source. Just because a connection is secure doesn't mean the source file is the right one. With Let's Encrypt (which I love) means just about anyone can have HTTPS these days (which is a good thing).

• Ensures corruption didn't happen during download
• This also helps detect changes in sources that don't provide any kind of versioning in the package name (e.g.; amazon) and keep the same download path (e.g.; slack).

Just my two cents.

[ferventcoder]

@TheFynx thanks. One thing to consider is that you can turn it on now in 0.10.0 already. The feature is set to allow empty checksums for secure connections by default.

[ferventcoder]

Going to hold on this one for a little while - I think the plan is to turn this on, but provide a little more time for folks to get their packages in order.

[vertigo220]

I'm in agreement with @TheFynx on this one. This is one of the things I came here to mention, because I definitely think this should not be enabled by default. That is, it should not allow empty checksums just because the source is HTTPS by default. Just because a file is downloaded from an HTTPS site doesn't mean it couldn't be corrupted (either on the site or during the download) or replaced with a malicious version (if the site were compromised). HTTPS isn't a guarantee of a file's integrity; all it "guarantees" is that your connection to the file is secure.

[gep13]

@vertigo220 we don't disagree with you here, and this is something that will get turned on by default.

[vertigo220]

I'm confused, because you say it will get turned on by default, but I read that as the option to allow empty checksums for HTTPS will be enabled by default, which is the opposite of what I'm saying. Do you mean the need for checksums will be turned on by default?

[ferventcoder]

@vertigo220 apologies for the confusion - what was meant is that allowEmptyChecksumsSecure will be disabled by default at some point. https://github.com/chocolatey/choco/wiki/ChocolateyConfiguration#security

[ferventcoder]

@vertigo220 for features choco has the ability for us to switch a default for a newer edition and if a user has not explicitly set the value, it will adjust automatically when the default changes.

[gep13]

This will need a change to package-validator, to enforce this rule for all new package submissions as well:

https://gitlab.com/chocolatey/community-infrastructure/package-validator/-/issues/143