> Like already said before, detecting if a user run a curl-pipe-bash and > injecting a malicious binary on the fly is rather trivial to do compared > to compromise the nixos website itself, and create a phising to fake > both the tarball and the displayed hash.
Hash would only ensure that there is no corruption en route, but we already have that since most TLS ciphersuites are authenticated... gotta check nixos.org ciphersuites. _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
