On Tuesday 11 December 2007, Sean Dague wrote: > On Tue, Dec 11, 2007 at 12:52:56AM -0500, [EMAIL PROTECTED] wrote: > > On Dec 11, 2007 12:30 AM, Porkchop <[EMAIL PROTECTED]> wrote: > > > Have an open mind. Just that one can't think of a situation in which > > > this would be a good idea doesn't mean there is no case in which this > > > is a good idea. > > > > Ok, I'm trying but I really can't imagine any good reason to execute a > > shell script directly fetched over HTTP. Not on a private lan, not > > anywhere. HTTP is completely unencrypted, and it's easily spoofable. > > If you can live with that, so be it.. > > Actually, most network linux installers use HTTP, and run code off of an > HTTP server. It's all about levels of risk.
Usually the packages on distributions come with checksums as well as being cryptographically signed with known keys. If by chance in this case the scripts to be run are fully controlled, perhpas the same thing could be done for those? -- Chris -- Chris Knadle [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) MHVLS Auditorium Dec 5 - Open Source Show and Tell Jan 2 - TBD Feb 6 - DBUS Mar 5 - Setting up a platform-independent home/small office network using Linux
