Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
IshKebab 4 days ago

None of that has anything to do with curl|bash.

Be careful who you trust when installing software is a fine thing to teach. But that doesn't mean the only people you can trust are Linux distro packagers.

uecker 4 days ago | parent [-]

I think it has a lot to do with "curl|bash". Cut&paste a curl|bash command-line disables all inherent mechanisms and stumbling blocks that would ensure properly ensuring trust. It was basically invented to make it easy to install software by circumventing all protection a Linux distribution would traditionally provide. It also eliminates all possibility for independent verification about what was installed or done on the machine.

IshKebab 4 days ago | parent [-]

Downloading and installing a `.deb` or `.rpm` is going to be no more secure. They can run arbitrary scripts too.

uecker 4 days ago | parent [-]

Downloading a deb via a package manager is more secure. Downloading a deb, comparing the hash (or at least noting down the hash) would also already be more secure.

But yes, that the run arbitrary scripts is also a known issue, but this is not the main point as most code you download will be run at some point (and ideally this needs sandboxing of applications to fix).

IshKebab 4 days ago | parent | next [-]

> Downloading a deb via a package manager is more secure.

Not what I meant. Getting software into 5 different distros and waiting years for it to be available to users is not really viable for most software authors.

uecker 4 days ago | parent [-]

I think it would be quite viable if there is any willingness to work with the distributions in the interest in security.

IshKebab 4 days ago | parent [-]

Well, distros haven't really put any effort into making it viable as far as I know. They really should! Why isn't there a standard Linux package format that all distros support? Flatpak is fine for user GUI apps but I don't think it would be feasible to e.g. distribute Rust via a Flatpak.

(And when I say fine, I haven't actually used it successfully yet.)

I think distros don't want this though. They all want everyone to use their format, and spend time uploading software into their repo. Which just means that people don't.

4 days ago | parent | prev [-]
[deleted]