You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jul 4, 2026. It is now read-only.
The --ssl-no-revoke flag disables certificate revocation checking entirely.
This applies to downloads of:
Ollama (from GitHub Releases)
AnythingLLM (from cdn.anythingllm.com)
All GGUF model files (from huggingface.co)
If any of these CDNs were serving content under a revoked or compromised
certificate, curl would not detect it — the download and subsequent execution
would proceed silently.
For a tool explicitly marketed on privacy and zero-trust operation, bypassing
revocation checking is a meaningful gap in the trust chain.
Expected behaviour
TLS revocation checking should be active. Removing --ssl-no-revoke is
sufficient on modern Windows builds where OCSP/CRL support is functional.
For the Ollama release binary specifically, published SHA256 checksums are
available in the GitHub release assets. Post-download verification against
those checksums would provide an additional integrity layer independent of TLS.
Proposed fix
Remove --ssl-no-revoke from all curl.exe calls in install-core.ps1
Add SHA256 checksum verification for the Ollama binary after download,
using the hash published in the corresponding GitHub release
Every download in
install-core.ps1uses the following curl invocation:The
--ssl-no-revokeflag disables certificate revocation checking entirely.This applies to downloads of:
If any of these CDNs were serving content under a revoked or compromised
certificate, curl would not detect it — the download and subsequent execution
would proceed silently.
For a tool explicitly marketed on privacy and zero-trust operation, bypassing
revocation checking is a meaningful gap in the trust chain.
Expected behaviour
TLS revocation checking should be active. Removing
--ssl-no-revokeissufficient on modern Windows builds where OCSP/CRL support is functional.
For the Ollama release binary specifically, published SHA256 checksums are
available in the GitHub release assets. Post-download verification against
those checksums would provide an additional integrity layer independent of TLS.
Proposed fix
--ssl-no-revokefrom allcurl.execalls ininstall-core.ps1using the hash published in the corresponding GitHub release