From 073ed4d05a6270578fa65f9ce35201506bf14e96 Mon Sep 17 00:00:00 2001
From: Wayland Yang <wayland0916@gmail.com>
Date: Thu, 11 Jun 2026 09:43:18 +0800
Subject: [PATCH] =?UTF-8?q?docs(setup-host):=20explain=20why=20curl-pipe-s?=
 =?UTF-8?q?h=20rustup=20install=20is=20safe=20here=20=E2=80=94=20#236?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

@jelloee filed #236 noting that scripts/setup-host.sh's curl-pipe-sh
rustup install lacks a checksum or version pin. Accurate observation,
but the supply-chain risk is bounded by `rust-toolchain.toml` at the
repo root — rustup-init only installs the rustup binary; the toolchain
forkd actually compiles with is fetched from rust-lang.org and pinned
by the toml. So even a sh.rustup.rs compromise wouldn't pick the
project's compiler.

Adding a comment explaining this so future readers don't re-raise the
same concern. Also notes a possible future `--paranoid` mode that
downloads rustup-init + verifies sha256 — deferred because the sha256
needs refreshing on every rustup-init release, which trades supply-
chain hygiene for maintenance staleness.

Closes #236.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 scripts/setup-host.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/scripts/setup-host.sh b/scripts/setup-host.sh
index eb6014e..001d9d1 100644
--- a/scripts/setup-host.sh
+++ b/scripts/setup-host.sh
@@ -36,6 +36,18 @@ sudo apt-get install -y \
     jq
 
 say "Installing Rust (if missing)..."
+# curl-pipe-sh is the upstream-recommended rustup install path. The
+# rustup binary version that lands here does NOT determine what compiler
+# forkd actually builds with — `rust-toolchain.toml` at the repo root
+# pins the channel (currently `stable`), and rustup fetches that
+# toolchain on first `cargo build`. So a supply-chain compromise of
+# `sh.rustup.rs` would still be bounded by what rustup-init does
+# locally; the project itself remains pinned.
+# See #236 for the security discussion. Future work: a `--paranoid` mode
+# that downloads the rustup-init binary and verifies sha256 before
+# executing. Not done now because the sha256 needs to be refreshed on
+# every rustup-init release, which trades supply-chain hygiene for
+# maintenance staleness.
 if ! command -v cargo >/dev/null; then
     curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
     # shellcheck disable=SC1091