| |
| ▲ | uecker 4 days ago | parent | next [-] | | It is definitely not fine. The argument seems to be that since you need to trust somebody, curl | bash is fine because you just trust whoever controls the webserver. I think this is missing the point. | | |
| ▲ | oddmiral 4 days ago | parent | next [-] | | s/webserver/DNS/ | | |
| ▲ | arthur2e5 4 days ago | parent [-] | | HTTPS is there, so you go down to that level only if you want to distrust any element of the public key infrastructure. Which, to be fair, there are plenty of reasons if you are paranoid -- they do tell you who's doing what in a shady way as they revoke, so there's a huge list of transgressions. | | |
| ▲ | zzo38computer 4 days ago | parent [-] | | It is not only that directly; the domain name might be reassigned to someone else, resulting in a valid certificate which is different than the one you wanted. (If you have the hash of the file which you have verified independently then it is more secure (if the hash algorithm is secure enough), although HTTPS is not needed in that case, it can still be used if you wish to avoid spies knowing which file you accessed. You can also use the server's public key if you know what it should be, although this has different issues, such as someone compromising the server (or the key) and modifying the script.) (There is also knowing if the script is what you intended or not anyways (or if there is something unexpected due to the configuration on your computer); if that is your issue, you can read it (and perhaps verifying the character encoding) before executing it, whether or not you trust the server operator and the author of that script.) | | |
| ▲ | IshKebab 4 days ago | parent [-] | | > the domain name might be reassigned to someone else If that happens its game over. As the article I linked noted, the attackers can change the installation instructions to anything they want - even for packages that are available in Linux distros. |
|
|
| |
| ▲ | whyever 4 days ago | parent | prev | next [-] | | It's missing which point? | | |
| ▲ | uecker 4 days ago | parent [-] | | That you should be very careful about what you install. Cut&pasting some line from a website is the exact opposite of it. This is mostly about psychology and not technology. But there are also other issues with this, e.g. many independent failure points at different levels, no transparency, no audit chain, etc.
The counter model we tried to teach people in the past is that people select a linux distribution, independently verify fingerprints of the installation media, and then only install packages from the curated a list of packages. A lot of effort went into making this safe and close the remaining issues. | | |
| ▲ | IshKebab 4 days ago | parent [-] | | None of that has anything to do with curl|bash. Be careful who you trust when installing software is a fine thing to teach. But that doesn't mean the only people you can trust are Linux distro packagers. | | |
| ▲ | uecker 4 days ago | parent [-] | | I think it has a lot to do with "curl|bash". Cut&paste a curl|bash command-line disables all inherent mechanisms and stumbling blocks that would ensure properly ensuring trust. It was basically invented to make it easy to install software by circumventing all protection a Linux distribution would traditionally provide. It also eliminates all possibility for independent verification about what was installed or done on the machine. | | |
| ▲ | IshKebab 4 days ago | parent [-] | | Downloading and installing a `.deb` or `.rpm` is going to be no more secure. They can run arbitrary scripts too. | | |
| ▲ | uecker 4 days ago | parent [-] | | Downloading a deb via a package manager is more secure. Downloading a deb, comparing the hash (or at least noting down the hash) would also already be more secure. But yes, that the run arbitrary scripts is also a known issue, but this is not the main point as most code you download will be run at some point (and ideally this needs sandboxing of applications to fix). | | |
| ▲ | IshKebab 4 days ago | parent | next [-] | | > Downloading a deb via a package manager is more secure. Not what I meant. Getting software into 5 different distros and waiting years for it to be available to users is not really viable for most software authors. | | |
| ▲ | uecker 4 days ago | parent [-] | | I think it would be quite viable if there is any willingness to work with the distributions in the interest in security. | | |
| ▲ | IshKebab 4 days ago | parent [-] | | Well, distros haven't really put any effort into making it viable as far as I know. They really should! Why isn't there a standard Linux package format that all distros support? Flatpak is fine for user GUI apps but I don't think it would be feasible to e.g. distribute Rust via a Flatpak. (And when I say fine, I haven't actually used it successfully yet.) I think distros don't want this though. They all want everyone to use their format, and spend time uploading software into their repo. Which just means that people don't. |
|
| |
| ▲ | 4 days ago | parent | prev [-] | | [deleted] |
|
|
|
|
|
| |
| ▲ | tonetheman 4 days ago | parent | prev [-] | | [dead] |
| |
| ▲ | oguz-ismail 4 days ago | parent | prev [-] | | [flagged] |
|
