[Nix-dev] Malicious installation methods
Yui Hirasawa
yui at cock.li
Fri Jun 17 15:53:25 CEST 2016
>> The installer, when run, will fetch more code for users to blindly
>> execute (as most of that code will be provided in compiled form). How
>> is blindly running an installer worse than running other code from
>> the same provider?
>
> Simply put the shasum of your installer on the website and ask the
> user to verify. That is what many projets do, and it's a three lines
> of installation instead of one.
And just because the installer is a problem doesn't mean the binary
packages couldn't also be a problem.
>>> PS. There are ways of detecthing when something is piped straight to an
>>> interpreter and thus even if someone did curl and read the output and
>>> then curled into a shell they could still get infected as serving
>>> different pages depending on the circumstances isn't all that
>>> difficult.
>>
>> This assumes https://nixos.org is already malicious - and then you shouldn't run *anything* that comes from there.
>>
>
> The problem is not *ONLY* nixos.org.
>
> Depending of your country and your environment, TLS / HTTPS alone is not
> anymore a protocol that you can trust blindly
> - https://blog.filippo.io/untrusting-an-intermediate-ca-on-os-x/
> - https://yro.slashdot.org/story/15/12/08/1451239/in-kazakhstan-the-internet-backdoors-you
> - https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
>
> But without even considering that, "curl-pipe-bash" will cause your
> sysadmin to blow a fuse or heartbreak in most companies / environments.
> And for very good reasons.
>
> Transforming this into a three lines installation script with a simple
> "sha256sum -c " verification would not make users run away and would
> make the project look more professional.
sha256sum won't be much use if you don't also sign the sums. Of course
you could also just detachsign the scripts as well.
More information about the nix-dev
mailing list