I recently noticed that you recommend very malicious installation methods on your download page for nix[1]
Retrieving code straight from the internet and blindly executing is never a good thing and you don't give any sort of recommendation for the user to inspect the script before running it. This completely defeats the point of having reproducible builds when your system can be completely infected when you install the package manager. This also means that anything installed through the package manager is potentially malicious as well. > $ curl https://nixos.org/nix/install | sh And this isn't made any better by the fact that you want users to run the script blindly as the superuser. > This script requires that you have sudo access to root, I ask you to PLEASE remove this installation method from the recommendations on the page because it makes it look like you don't care about computer secuirty one bit. PS. There are ways of detecthing when something is piped straight to an interpreter and thus even if someone did curl and read the output and then curled into a shell they could still get infected as serving different pages depending on the circumstances isn't all that difficult. [1]: https://nixos.org/nix/download.html _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
