Installing Kotlin securely, with package signatures, auto-update etc


#1

The options I see for installing Kotlin aren’t clear about security issues. I don’t know if sdkman checks (or even supports) signatures on packages, I don’t know if it automatically tracks security updates on Kotlin and other installed packages (like apt-get does), I don’t know how big the install is going to be, etc.

I posted a question at the sdkman site (Security: support for package signatures? Auto-update? TUF? · Issue #577 · sdkman/sdkman-cli) which hasn’t been answered yet. I may be impatient, but Kotlin looks cool, so I thought I’d ask here.

  • Does sdkman check (or even support) digital signatures on packages?
  • Does sdkman automatically track security updates for installed packages like Kotlin and others they depend on, e.g. like Debian’s apt-get package management system does? Would I just be alerted to security updates, or is there also an option to auto-install security updates?
  • Are there any plans to use The Update Framework (TUF) to really deal with software updates in a secure way?

And while I’m at it, another comparison with common Linux package managers comes to mind. Is there a way to find out how much disk space a particular install is going to use, before agreeing to install it?

Note that for a whole host of reasons, I think users need signatures generated on the packages and updates via offline keys, not just TLS certificates and security. TLS doesn’t protect against attacks on the host sites which are of course online and thus very hard to really secure. See e.g. the discussion at Signatures are not secure or safe · Issue #1395 · conda/conda for some of the challenges of doing secure package updates, and a commitment by another big player to step up to the plate and implement TUF.

If sdkman doesn’t support installations and updates to maintain a secure environment, has Kotlin looked at other options for keeping its users safe? E.g. is there an Ubuntu PPA for it, or is anyone working to package it for Debian/Ubuntu?

Or is there some other approach?

Thanks!


#2

In most real scenarios, “installing Kotlin” is not something that you need to do at all. You install the IntelliJ IDEA plugin for Kotlin (which IntelliJ IDEA then keeps up to date automatically), and you add a reference to Kotlin to your build.gradle or pom.xml (which causes Maven or Gradle to download the Kotlin compiler and standard library). Therefore, the issues of package verification are mostly out of scope for Kotlin itself.

Because of that, we currently don’t have any plans to provide any additional installation mechanisms for Kotlin.


#3

Ah, thank you for the quick response. It helps to have that perspective. My link was to your instructions for “Working with the Command Line Compiler” that I found looking for installation instructions via Google. So I’m still interested in knowing how to do a secure installation on a server, which I assume can’t run IntelliJ. I also imagine that over time, as Kotlin gets used for a broader variety of use cases, secure server-based installs will be more in demand.

But now I’m also interested in knowing how IntelliJ IDEA itself can be securely installed. It seems that for Linux, at the JetBrains IntelliJ IDEA download site, I’m expected to trust a download of a .tar.gz file and there aren’t any instructions after that on your site. These days, given recent demonstrations of persistent threats, widespread vulnerabilities and phishing, increasing risks to web sites, and a wide variety of installation approaches which automatically check signatures on software packages, I’m not used to seeing raw archives used for installations. We really don’t get much added protection from looking at a SHA-256 hash value when it comes from the same web page.

Could you offer e.g. a PGP signature on the tar.gz files?

And does IntelliJ somehow update itself after that to deal with security issues?
Thanks,


#4

I’m not aware of any use cases which would require server-based installs of Kotlin. On a CI server, you’d also normally use Maven or Gradle for downloading the Kotlin compiler and standard library.

IntelliJ IDEA does support automatic updates. If you’d like to discuss the IntelliJ IDEA installation and update process in more detail, you’re welcome to do so on the IntelliJ IDEA forums: https://intellij-support.jetbrains.com/hc/en-us/community/topics/200382555-IntelliJ-IDEA-Users