@wycats 1) CAs are sometimes MITMed (e.g., by vendor)
2) packages guarantee that the version content hadn't changed
-
-
-
@dmitry_vk how? I download packages via HTTP(S) too. Same MITM applies. -
@wycats pkg manager actually validate the package content; that's strictly stronger guarantee. -
@dmitry_vk not OSX .pkg, and not PPAs, both of which are used when | sh makes sense. -
@dmitry_vk or do you feel as strongly that you should not use PPAs as you do about| sh? -
@wycats I'm actually more comfortable with PPA/.deb/.ebuild not b/c of security; pkg mgr prevents a lot of bugs of custom installers -
@dmitry_vk it's pretty easy to mess up your PPA and I've experienced that. -
@dmitry_vk but now we're pretty far from the knee jerk "stupidest idea in the world, LOL what idiots" response I was reacting to. - 3 more replies
New conversation -
-
-
@wycats 'curl ...' OK. 'sudo curl ...' Hell no. Not so much about malicious intent as about breaking and crufting my system. -
@Rzhevsky but you're OK with downloading .pkg and entering your password? -
Tweet unavailable
-
-
Tweet unavailable
-
@salkin unfortunately, publishing to all 473 package systems is pretty painful, and Unix has a pretty good universal setup. -
@salkin if package managers were less of a political morass, maybe better answers would be available. -
@salkin folks running package managers don't realize the cost/benefit of arcana, I suspect.
End of conversation
New conversation -
-
-
@wycats@knowtheory installing unknown software is harmful. It's the direct pipe to sh without any verification that is the problem here -
@nvll@knowtheory and that is precisely as insecure as any other software you ever install. -
@wycats@knowtheory that was my point, really. Not directly piping it allows you to take a look at the installer. Otherwise, signed repos. -
@nvll@knowtheory the | sh pattern is what makes verification so simple; maligning it is misguided. -
@wycats@knowtheory Perhaps I'm misunderstanding you? How does blindly executing code curl grabbed make verification easier? -
@nvll@knowtheory vs. downloading a pkg and running it, where the script being run is hidden from sight. -
@wycats@knowtheory The sh pattern is the same as unsigned, but remove the | sh you can do some verification if it's not a binary format. -
@nvll@knowtheory it's the same as unsigned over HTTPS, yes, with a very simple verification step if you want it.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.