Hi, Никита Чураев <lamefun....@gmail.com> writes:
> Here's how I want to use Guix and it is to increase > contributor-friendliness of a project, so that the user can simply run > a distribution-independent command to install all dependencies without > having to hunt for them with `apt` and `dnf` manually. > > Unfortunately, Guix itself is not very easy to install, and the > instructions are full of rather technical stuff like 'systemd' and > 'upstart'. > > https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html > > There should be a script like the one Haskell Stack uses: > > |curl -sSL https://get.haskellstack.org/ | sh| I can understand the appeal of such a convenient approach. However, this practice of downloading a script via HTTPS and immediately running it as root without inspection puts you at considerable risk. A man-in-the-middle with the resources to compromise or bribe *any* certificate authority in your trust store (the attacker could choose which one) could acquire a fraudulent certificate to impersonate our site, and then substitute in a different script than the one we provided. Quite a few organizations are capable of such an attack today. Therefore, I believe it would be irresponsible for us to promote this style of installation. However, if there's sufficient interest, and if we could produce a sufficiently robust "auto-install" script, we could perhaps do something close to what you suggested. We could provide a script along with a GnuPG digital signature. We could ask the user to download the script, acquire our signing key, verify the signature on the script, and then run the script as root. Mark