[Nix-dev] Malicious installation methods

Kevin Cox kevincox at kevincox.ca
Fri Jun 17 13:38:33 CEST 2016


On 17/06/16 07:12, Yui Hirasawa wrote:
> 
> Retrieving code straight from the internet and blindly executing is
> never a good thing and you don't give any sort of recommendation for the
> user to inspect the script before running it. This completely defeats
> the point of having reproducible builds when your system can be
> completely infected when you install the package manager. This also
> means that anything installed through the package manager is potentially
> malicious as well.
> 
>> $ curl https://nixos.org/nix/install | sh
> 

This has been discussed in many forms in many places. You are
downloading code that you intend to run as root on your machine, and the
distribution method is over a verified channel. This is no more
dangerous then most other ways to download software that your root user
will run.

One improvement would be to sign the actual script with an offline key
but while that would be safer the current method is perfectly fine.

I know that people see `curl http...` and get all excited but, in this
case at least, it is a sufficiently secure method.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160617/b52e56c6/attachment-0001.sig>


More information about the nix-dev mailing list