(λ. borkdude)

QR code encoding and decoding in #babashka: https://github.com/babashka/pod-babashka-gozxing

(qr/encode "https://babashka.org" "out.png")
(qr/decode "out.png") ;;=> "https://babashka.org"

#clojure

GitHub - babashka/pod-babashka-gozxing: A babashka pod for reading and writing QR codes, backed by the Go library gozxing (a port of ZXing).

A babashka pod for reading and writing QR codes, backed by the Go library gozxing (a port of ZXing). - babashka/pod-babashka-gozxing

GitHub
May 29 at 10:17pmWeb
Show threadSimon BrookeMay 30

@borkdude Woohoo!

Needs a bit of setup; you have to do:
```
(require '[babashka.pods :as pods])
(pods/load-pod 'org.babashka/gozxing "0.0.1")
(require '[pod.babashka.gozxing :as qr])
```

before you can invoke functions in the `qr` namespace.

But extremely cool. The auto-provisioning of the requirement at runtime is slick, cool, and, from a security point of view, slightly alarming!

(I should look and see how `load-pod` verifies the download)

#Babashka
#Clojure

Show thread(λ. borkdude)May 30

@simon_brooke Yep, but that did'nt fit into my other social media posts :)

I'm open to suggestions to how better verify pod downloads

Show threadSimon BrookeMay 30

@borkdude H'mmm...

If your intent is that anyone should be able to register pods, then obviously a malign actor can register pods. If your intent is that pods should be safe, then someone somewhere has to review, evaluate and authorise.

Most technical problems are ultimately people problems...

Currently, `download` doesn't seem to do anything to verify that the file downloaded is the file expected:

https://github.com/babashka/pods/blob/master/src/babashka/pods/impl/resolver.clj#L106

/Continued

pods/src/babashka/pods/impl/resolver.clj at master · babashka/pods

Pods support for JVM and babashka. Contribute to babashka/pods development by creating an account on GitHub.

GitHub
Show thread(λ. borkdude)May 30

@simon_brooke Pods can only be registered via the central repository:

https://github.com/babashka/pod-registry

I personally review and merge PRs.

We could do a sha256 check or so.

GitHub - babashka/pod-registry: Pod manifests describe where pods can be downloaded, etc.

Pod manifests describe where pods can be downloaded, etc. - babashka/pod-registry

GitHub
Show threadSimon BrookeMay 30

@borkdude If you had an MD5sum or a public key stored in the same directory on the same server as the pod being requested, then any attacker who could overwrite (or otherwise substitute) the pod file could also overwrite or substitute the proof file.

(seen your latest reply) an MD5 sum in the registry would at least verify the artefact delivered was the same artefact you reviewed.

I could maybe do you a pull request on this, if that would help.

Show thread(λ. borkdude)May 30
@simon_brooke A Github issue with the problem statement + proposed alternatives would be a better start :)
Show threadSimon BrookeMay 30

@borkdude done!

https://github.com/babashka/pod-registry/issues/199

Hash signature for each artifact · Issue #199 · babashka/pod-registry

The registry is a central point for registering pods, but the pod artifacts can, per the specification, be hosted on any URL, so you do not control access to the repositories on which individual ar...

GitHub