[Nix-dev] Malicious installation methods
Kevin Cox
kevincox at kevincox.ca
Fri Jun 17 15:23:44 CEST 2016
On 17/06/16 09:17, Adrien Devresse wrote:
>> The installer, when run, will fetch more code for users to blindly execute (as most of that code will be provided in compiled form). How is blindly running an installer worse than running other code from the same provider?
>
> Simply put the shasum of your installer on the website and ask the user
> to verify. That is what many projets do, and it's a three lines of
> installation instead of one.
>
So you're trusting a hash from the same site that you are downloading
the script from? I can see a lot of value in a cryptographic signature
(like PGP) but I see almost no value in a hash.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160617/f4de49b6/attachment.sig>
More information about the nix-dev
mailing list