Hello, Mark H Weaver <[email protected]> skribis:
> Никита Чураев <[email protected]> writes: > >> Here's how I want to use Guix and it is to increase >> contributor-friendliness of a project, so that the user can simply run >> a distribution-independent command to install all dependencies without >> having to hunt for them with `apt` and `dnf` manually. >> >> Unfortunately, Guix itself is not very easy to install, and the >> instructions are full of rather technical stuff like 'systemd' and >> 'upstart'. >> >> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html >> >> There should be a script like the one Haskell Stack uses: >> >> |curl -sSL https://get.haskellstack.org/ | sh| > > I can understand the appeal of such a convenient approach. However, > this practice of downloading a script via HTTPS and immediately running > it as root without inspection puts you at considerable risk. A > man-in-the-middle with the resources to compromise or bribe *any* > certificate authority in your trust store (the attacker could choose > which one) could acquire a fraudulent certificate to impersonate our > site, and then substitute in a different script than the one we > provided. Quite a few organizations are capable of such an attack > today. > > Therefore, I believe it would be irresponsible for us to promote this > style of installation. Seconded. > However, if there's sufficient interest, and if we could produce a > sufficiently robust "auto-install" script, we could perhaps do something > close to what you suggested. We could provide a script along with a > GnuPG digital signature. We could ask the user to download the script, > acquire our signing key, verify the signature on the script, and then > run the script as root. I while back Chris Baines and someone else (?) had worked on such a script, but I’m not sure what happened. Chris, does that ring a bell? It would be nice to have it in time for the new release. Ludo’.
