Pretty good SSL: https://www.ssllabs.com/ssltest/analyze.html?d=nixos.org
I wonder if something like this would be better perceived: sudo mkdir /nix curl https://nixos.org/$(arch)nix.tar.gz | sudo tar -C /nix xvfsudo /nix/post-install Or I wonder if there was a universal script that would wrap that pattern, if it would generate less heat: #!/bin/sh## Usage: curl-install <url> <sha256>#fail() { echo "$*" >&2 exit 1 }if [ #@ -lt 2 ]; then abort "missing arguments"fi url=$1 sha256=$2 script_path=$(mktemp) curl -o "$script_path" "$url"if [ "$sha256" != $(sha256sum "$script_path") ]; then abort "Checksum don't match"fi chmod +x "$script_path"exec $script_path On Fri, 17 Jun 2016 at 14:58 Yui Hirasawa <y...@cock.li> wrote: > > Like already said before, detecting if a user run a curl-pipe-bash and > > injecting a malicious binary on the fly is rather trivial to do compared > > to compromise the nixos website itself, and create a phising to fake > > both the tarball and the displayed hash. > > Hash would only ensure that there is no corruption en route, but we > already have that since most TLS ciphersuites are authenticated... gotta > check nixos.org ciphersuites. > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev >
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev