On Sun, Apr 12, 2020 at 10:41:12AM -0400, Celejar wrote: > On Sun, 12 Apr 2020 11:37:24 +0300 > Andrei POPESCU <andreimpopescu@gmail.com> wrote: > > > On Du, 12 apr 20, 09:17:18, tomas@tuxteam.de wrote: > > > On Sun, Apr 12, 2020 at 09:52:50AM +0300, Andrei POPESCU wrote: [...] > Interesting discussion. I've looked quickly at the other side [1], > however, and there seem to be serious people and arguments in that > direction as well. Are they so obviously wrong? [The objection Andrei > notes here is specifically countered by the "curl | bash" defenders, > although even I can see that the counter is not as strong as the > objection.] > > [1] > https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install > https://news.ycombinator.com/item?id=12766049 It boils down to whom you trust. Actually the sandstorm page is a bit too much marketing-ish for my taste: "Some of the objectors, though, go a bit further: They claim that curl|bash is more open to attack that other distribution mechanisms [...] Of course, all content served by sandstorm.io – from software downloads to our blog – is served strictly over HTTPS [...]" They are mixing up the chain of trust up to the distributor (package signing) with the transport secutity (HTTPS). Why? Remember that nice npm event-stream messup [1]? That's the dark side of "iterate faster". Trust is a complex beast. At its bottom it can't be completely rational, but usually you trust a community because you somehow think you understand how it works and you trust the information chain linking you to that community. Cheers [1] https://lwn.net/Articles/773121/ -- tomás
Attachment:
signature.asc
Description: Digital signature