> So you're trusting a hash from the same site that you are downloading > the script from? I can see a lot of value in a cryptographic signature > (like PGP) but I see almost no value in a hash. > Briefly, yes.
This is already a security improvement. Like already said before, detecting if a user run a curl-pipe-bash and injecting a malicious binary on the fly is rather trivial to do compared to compromise the nixos website itself, and create a phising to fake both the tarball and the displayed hash. However, I entirely agree with you that a cryptographic signature would be the best way to go. Cheers, Adev Le 17/06/2016 15:23, Kevin Cox a écrit : > On 17/06/16 09:17, Adrien Devresse wrote: >>> The installer, when run, will fetch more code for users to blindly execute >>> (as most of that code will be provided in compiled form). How is blindly >>> running an installer worse than running other code from the same provider? >> Simply put the shasum of your installer on the website and ask the user >> to verify. That is what many projets do, and it's a three lines of >> installation instead of one. >> > So you're trusting a hash from the same site that you are downloading > the script from? I can see a lot of value in a cryptographic signature > (like PGP) but I see almost no value in a hash. > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
