On 17/06/16 09:17, Adrien Devresse wrote: >> The installer, when run, will fetch more code for users to blindly execute >> (as most of that code will be provided in compiled form). How is blindly >> running an installer worse than running other code from the same provider? > > Simply put the shasum of your installer on the website and ask the user > to verify. That is what many projets do, and it's a three lines of > installation instead of one. >
So you're trusting a hash from the same site that you are downloading the script from? I can see a lot of value in a cryptographic signature (like PGP) but I see almost no value in a hash.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
