Remix clone Hacker News

new | show | ask | jobs Github

	▲	0xbadcafebee 5 days ago
		> Fundamentally, doesn't the security depend entirely on whether https is working properly? Even the standard package repos are relying on https right? They should only need http. You don't need https at all if your package is signed. The package/installer/app/etc could come from anywhere, modified by anyone, at any level. But if it's not signed by the dev's private key (which only exists on their laptop [or hardware token], protected by a password/key manager), it's invalid. This avoids the hundred different exploits between the dev and the user. What's actually crazy about this is, if you're already making the user do a copy and paste, it doesn't have to be one line. Compare that line above, to: `(set -eu; tmpf="$(mktemp)"; [ -w "$tmpf" ] && curl https://install.duckdb.org/ -o "$tmpf" && echo "d5d91c69a874ef99c30cf36654f623ed9c423ed0e210dca229744ce4d3b273d0 *$tmpf" \| sha256sum -c - && bash "$tmpf")` All you have to do is copy and paste that snippet, and the same thing will happen as the one-liner, except it will only work if the sha256sum is valid. Now this isn't perfect of course, we should be using artifacts signed by a private key. But it's better than just praying.
	▲	galaxy_gas 4 days ago \| parent \| next [-]
		The PHP primary package manager does this similar in what you write - https://getcomposer.org/download/ It is amazing that a duckdb could be worse than decade old PHP for something such as this.
	▲	4 days ago \| parent \| prev \| next [-]
		[deleted]
	▲	mdaniel 4 days ago \| parent \| prev [-]
		`curl -f` I'm super sad they didn't make --fail the default, and people that don't care could opt-out with --no-fail