[Nix-dev] Malicious installation methods
Azul
mail at azulinho.com
Fri Jun 17 13:59:11 CEST 2016
simple as that,
just don't do it.
https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
On 17 Jun 2016 12:38, "Kevin Cox" <kevincox at kevincox.ca> wrote:
> On 17/06/16 07:12, Yui Hirasawa wrote:
> >
> > Retrieving code straight from the internet and blindly executing is
> > never a good thing and you don't give any sort of recommendation for the
> > user to inspect the script before running it. This completely defeats
> > the point of having reproducible builds when your system can be
> > completely infected when you install the package manager. This also
> > means that anything installed through the package manager is potentially
> > malicious as well.
> >
> >> $ curl https://nixos.org/nix/install | sh
> >
>
> This has been discussed in many forms in many places. You are
> downloading code that you intend to run as root on your machine, and the
> distribution method is over a verified channel. This is no more
> dangerous then most other ways to download software that your root user
> will run.
>
> One improvement would be to sign the actual script with an offline key
> but while that would be safer the current method is perfectly fine.
>
> I know that people see `curl http...` and get all excited but, in this
> case at least, it is a sufficiently secure method.
>
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160617/d1a66a43/attachment.html>
More information about the nix-dev
mailing list