I’m always a bit shocked how seriously people take concerns over the install script for a binary executable they’re already intending to trust.

▲

shakna a day ago | parent | next [-]

Between you and me, are a bunch of other hops. Blindly trusting dependencies is one part of why npm is burning down at the moment.

Why trust un-signatured files hosted on a single source of truth? It isn't the 90s anymore.

▲

saagarjha 20 hours ago | parent [-]

What’s your alternative?

▲

shakna 19 hours ago | parent [-]

A mirrored package manager, where signature and executable are always grabbed from different sources.

Like apt, dnf, and others.

▲

saagarjha 17 hours ago | parent [-]

Pretty sure my apt sources have the signing and package pointing to the same place

▲

shakna 16 hours ago | parent [-]

If you have more than a single source, then apt will already be checking this for you.

The default is more than a single source.

▲

saagarjha 15 hours ago | parent [-]

All of mine point to like somethingsomething.ubuntu.com

	▲	shakna 14 hours ago \| parent [-]
		If it points to mirror.ubuntu.com, it'll be mirroring at host end, instead of inside apt. But as apt does do resolution to a list, it'll be fetching from multiple places at once.

▲

romaniitedomum a day ago | parent | prev [-]

> I’m always a bit shocked how seriously people take concerns over the install script for a binary executable they’re already intending to trust.

The issue is provenance. Where is the script getting the binary from? Who built that binary? How do we know that binary wasn't tampered with? I'll lay odds the install script isn't doing any kind of GPG/PGP signature check. It's probably not even doing a checksum check.

I'm prepared to trust an executable built by certain organisations and persons, provided I can trace a chain of trust from what I get back to them.

	▲	a day ago \| parent [-]
		[deleted]