The options I see for installing Kotlin aren’t clear about security issues. I don’t know if sdkman checks (or even supports) signatures on packages, I don’t know if it automatically tracks security updates on Kotlin and other installed packages (like apt-get does), I don’t know how big the install is going to be, etc.
I posted a question at the sdkman site (Security: support for package signatures? Auto-update? TUF? · Issue #577 · sdkman/sdkman-cli) which hasn’t been answered yet. I may be impatient, but Kotlin looks cool, so I thought I’d ask here.
- Does sdkman check (or even support) digital signatures on packages?
- Does sdkman automatically track security updates for installed packages like Kotlin and others they depend on, e.g. like Debian’s apt-get package management system does? Would I just be alerted to security updates, or is there also an option to auto-install security updates?
- Are there any plans to use The Update Framework (TUF) to really deal with software updates in a secure way?
And while I’m at it, another comparison with common Linux package managers comes to mind. Is there a way to find out how much disk space a particular install is going to use, before agreeing to install it?
Note that for a whole host of reasons, I think users need signatures generated on the packages and updates via offline keys, not just TLS certificates and security. TLS doesn’t protect against attacks on the host sites which are of course online and thus very hard to really secure. See e.g. the discussion at Signatures are not secure or safe · Issue #1395 · conda/conda for some of the challenges of doing secure package updates, and a commitment by another big player to step up to the plate and implement TUF.
If sdkman doesn’t support installations and updates to maintain a secure environment, has Kotlin looked at other options for keeping its users safe? E.g. is there an Ubuntu PPA for it, or is anyone working to package it for Debian/Ubuntu?
Or is there some other approach?