@bascule I have yet to hear of a real security problem with `curl | sudo sh` that isn't also a problem with `sudo [npm|gem|...] install`
-
-
-
@KentonVarda@zooko@bascule all these should distribute and verify signed hashes. worst case this stupid thing: http://jbenet.github.io/hashpipe -
@juanbenet@zooko@bascule You've just moved the problem from authenticating the script to authenticating the signing key. -
@KentonVarda@zooko@bascule yes and that's way easier. No free lunch, but wel-known PKI is easier than ad-hoc script inspection/auth. -
@juanbenet@zooko@bascule HTTPS is well-known PKI. Has some problems but realistically we all rely on it. -
@KentonVarda@zooko@bascule yeah i don't think it's a good status quo. sucks we don't have something better, but shouldn't make it worse -
@juanbenet@KentonVarda@zooko@bascule We do have a solution (blockchain-based PKI), what we don’t have is the will to use it (ATM). :) -
@taoeffect@juanbenet@KentonVarda@zooko all problems can be solved with the BLOCKCHAIN!pic.twitter.com/Burkr4BqRo
- 19 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.