simple as that, just don't do it. https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/ On 17 Jun 2016 12:38, "Kevin Cox" <[email protected]> wrote:
> On 17/06/16 07:12, Yui Hirasawa wrote: > > > > Retrieving code straight from the internet and blindly executing is > > never a good thing and you don't give any sort of recommendation for the > > user to inspect the script before running it. This completely defeats > > the point of having reproducible builds when your system can be > > completely infected when you install the package manager. This also > > means that anything installed through the package manager is potentially > > malicious as well. > > > >> $ curl https://nixos.org/nix/install | sh > > > > This has been discussed in many forms in many places. You are > downloading code that you intend to run as root on your machine, and the > distribution method is over a verified channel. This is no more > dangerous then most other ways to download software that your root user > will run. > > One improvement would be to sign the actual script with an offline key > but while that would be safer the current method is perfectly fine. > > I know that people see `curl http...` and get all excited but, in this > case at least, it is a sufficiently secure method. > > > _______________________________________________ > nix-dev mailing list > [email protected] > http://lists.science.uu.nl/mailman/listinfo/nix-dev > >
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
