| ▲ | layer8 3 hours ago | |||||||||||||
I’m not one to chase the new and shiny, but how do you know a nominally months-old software package isn’t a newly compromised version at the time you download it? | ||||||||||||||
| ▲ | ndriscoll 2 hours ago | parent | next [-] | |||||||||||||
I don't know about other managers, but nixpkgs has hashes of the package I'm installing, and is a git repo, so I can easily detect a history rewrite, and I have the full history of package changes over time. Since it's a git repo, I can also easily install things as of a given time. | ||||||||||||||
| ▲ | herecomesthepre 2 hours ago | parent | prev | next [-] | |||||||||||||
Windows has this thing called digital signing with certificates that Linux users like to pretend doesn't exist or in the case of yesterday's Wireguard / VeraCrypt discussion, think it's an evil capitalist scheme to control the world. Digital signing on Windows predates Mac developer certificates by years but arguably wasn't widely used outside of security-paranoid organizations. Before someone says Linux offers GPG signing it's mostly useless without a central PKI. Developers offer the public key for download on the same server as the software. If someone uploaded compromised software, surely they would replace the key with their own. | ||||||||||||||
| ||||||||||||||
| ▲ | jeremie_strand 3 hours ago | parent | prev [-] | |||||||||||||
[dead] | ||||||||||||||