>> The installer, when run, will fetch more code for users to blindly >> execute (as most of that code will be provided in compiled form). How >> is blindly running an installer worse than running other code from >> the same provider? > > Simply put the shasum of your installer on the website and ask the > user to verify. That is what many projets do, and it's a three lines > of installation instead of one.
And just because the installer is a problem doesn't mean the binary packages couldn't also be a problem. >>> PS. There are ways of detecthing when something is piped straight to an >>> interpreter and thus even if someone did curl and read the output and >>> then curled into a shell they could still get infected as serving >>> different pages depending on the circumstances isn't all that >>> difficult. >> >> This assumes https://nixos.org is already malicious - and then you shouldn't >> run *anything* that comes from there. >> > > The problem is not *ONLY* nixos.org. > > Depending of your country and your environment, TLS / HTTPS alone is not > anymore a protocol that you can trust blindly > - https://blog.filippo.io/untrusting-an-intermediate-ca-on-os-x/ > - > https://yro.slashdot.org/story/15/12/08/1451239/in-kazakhstan-the-internet-backdoors-you > - https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning > > But without even considering that, "curl-pipe-bash" will cause your > sysadmin to blow a fuse or heartbreak in most companies / environments. > And for very good reasons. > > Transforming this into a three lines installation script with a simple > "sha256sum -c " verification would not make users run away and would > make the project look more professional. sha256sum won't be much use if you don't also sign the sums. Of course you could also just detachsign the scripts as well. _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
