Script URL in README should be directly from GitHub instead of goo.gl

Question

Script URL in README should be directly from GitHub instead of goo.gl

jdanford opened this issue 7 years ago · comments

Currently, the URL to the ssh-ident script provided in the README is goo.gl/MoJuKB. While this is legitimate and simply points to https://raw.githubusercontent.com/ccontavalli/ssh-ident/master/ssh-ident, it goes against my security instincts. Is there a reason not to use the GitHub URL directly?

Carlo Contavalli · Answer 1 · Mon Aug 28 2017 23:07:01 GMT+0800 (China Standard Time)

The main reasons for the goo.gl link are that: 1) It is shorter - which is handy if you are copying the url manually for whatever reason (VMs, using smart phone, ...). 2) It gives me statistics - is the link used at all? If I was to split ssh-ident into a set of libraries and scripts, would users suffer? do people really trust installing software which will handle their passphrases and secret keys with a simple wget and no signatures or other authentication mechanisms? etc. In terms of security, yes, eliminating the shortlink redirection will eliminate one player in the download chain. Right now, though, I don't feel like it would significantly increase security: I should really provide signatures for the full "source" - either host could have been compromised.. It also seems like that only a minority of the users is using the goo.gl link? 135 accesses since 2014, vs 500 stars on github, and 45 forks. Either people are starring the project without using it, or using git clone or downloading directly. Unfortunately, github does not provide very good stats :(. Carlo

Jordan Danford · Answer 2 · Mon Aug 28 2017 23:28:08 GMT+0800 (China Standard Time)

Alright, thank you for explaining your reasoning, and for making such a useful tool!