On 17/06/16 07:12, Yui Hirasawa wrote: > > Retrieving code straight from the internet and blindly executing is > never a good thing and you don't give any sort of recommendation for the > user to inspect the script before running it. This completely defeats > the point of having reproducible builds when your system can be > completely infected when you install the package manager. This also > means that anything installed through the package manager is potentially > malicious as well. > >> $ curl https://nixos.org/nix/install | sh >
This has been discussed in many forms in many places. You are downloading code that you intend to run as root on your machine, and the distribution method is over a verified channel. This is no more dangerous then most other ways to download software that your root user will run. One improvement would be to sign the actual script with an offline key but while that would be safer the current method is perfectly fine. I know that people see `curl http...` and get all excited but, in this case at least, it is a sufficiently secure method.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
