> [1] Alright, it's better than nothing. In fact, quite a lot better than > nothing, but what you really want is signing of everything in the trust > chain. A *possible* way around this would be if the installer script > were to have embedded/hardcoded (crypto-secure) hashes and would fetche > things only via URLs containing those hashes. That'd at least be > *something*.
If you sign the script and it contains say sha512sums for the things it pulls you don't have to sign them separately. It's similiar to how many distributions only distribute one file with all the sums that is signed. _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
