| ▲ | vitonsky 5 days ago | |
Current incident confirms that we can't trust to authors of DuckDB, because they can't evade a trivial phishing attack. Tomorrow they will do it again, and attackers will replace binary files that users download with this random script. Or this script will steal crypto/etc. To make attack vector difficult for hackers, it's preferable to download any software as packages. On linux it looks like `apt install python3`. The benefits is 1. Repositories are immutable, so attacker can't replace binary for specific version, even if they will hack all infrastructure of DuckDB. Remote script may be replaced anytime to run any code 2. Some repositories have strict review process, so there are external reviewers who will require to pass security processes to upload new version | ||
| ▲ | riku_iki 5 days ago | parent [-] | |
> On linux it looks like `apt install python3`. for MacOS they have it in brew, which is also you can use on linux, also it is available in nix. I think the problem is that there are so many linux distros with their own package repositories, that it is very untrivial task to include package into most of them if maintainers are not proactively interested. | ||