Re: Anti-malware for my personal Debian workstation?

To: debian-user@lists.debian.org
Subject: Re: Anti-malware for my personal Debian workstation?
From: Celejar <celejar@gmail.com>
Date: Sun, 12 Apr 2020 12:25:16 -0400
Message-id: <[🔎] 20200412122516.a59d214d6bcea89b36ef750f@gmail.com>
In-reply-to: <[🔎] 20200412154154.GA28366@tuxteam.de>
References: <M0lDfTP--3-2@tuta.io> <jwvv9nx1d78.fsf-monnier+gmane.linux.debian.user@gnu.org> <CAKada-6x0qvJxi_eh+fDywDzg-FOCLG9di2Yw=7TBmcWA9CYDw@mail.gmail.com> <20200224090358.GA28752@tuxteam.de> <20200224144505.GP845@eeg.ccf.org> <[🔎] M4eCM64--3-2@tuta.io> <[🔎] 20200412065250.a6u5vdee6ytgmb62@cbuster.nuvreauspam> <[🔎] 20200412071718.GC7740@tuxteam.de> <[🔎] 20200412083724.txhe4iq7n3xul5tl@cbuster.nuvreauspam> <[🔎] 20200412104112.4ef39ee1af385460a6d6fa56@gmail.com> <[🔎] 20200412154154.GA28366@tuxteam.de>

On Sun, 12 Apr 2020 17:41:54 +0200
<tomas@tuxteam.de> wrote:

> On Sun, Apr 12, 2020 at 10:41:12AM -0400, Celejar wrote:
> > On Sun, 12 Apr 2020 11:37:24 +0300
> > Andrei POPESCU <andreimpopescu@gmail.com> wrote:
> > 
> > > On Du, 12 apr 20, 09:17:18, tomas@tuxteam.de wrote:
> > > > On Sun, Apr 12, 2020 at 09:52:50AM +0300, Andrei POPESCU wrote:
> 
> [...]
> 
> > Interesting discussion. I've looked quickly at the other side [1],
> > however, and there seem to be serious people and arguments in that
> > direction as well. Are they so obviously wrong? [The objection Andrei
> > notes here is specifically countered by the "curl | bash" defenders,
> > although even I can see that the counter is not as strong as the
> > objection.]
> > 
> > [1]
> > https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install
> > https://news.ycombinator.com/item?id=12766049
> 
> It boils down to whom you trust. Actually the sandstorm page is
> a bit too much marketing-ish for my taste:
> 
>   "Some of the objectors, though, go a bit further: They claim
>    that curl|bash is more open to attack that other distribution
>    mechanisms [...]
> 
>    Of course, all content served by sandstorm.io – from software
>    downloads to our blog – is served strictly over HTTPS [...]"
> 
> They are mixing up the chain of trust up to the distributor (package
> signing) with the transport secutity (HTTPS). Why?
> 
> Remember that nice npm event-stream messup [1]? That's the dark
> side of "iterate faster".
> 
> Trust is a complex beast. At its bottom it can't be completely
> rational, but usually you trust a community because you somehow
> think you understand how it works and you trust the information
> chain linking you to that community.

Exactly. So if I trust the Sandstorm community (for example - I know
nothing about them), then I'm not sure that there's any particularly
great risk in installing their product via "curl | bash", and if I
don't trust them, I shouldn't install their product via any other
mechanism either.

> Cheers
> [1] https://lwn.net/Articles/773121/
> -- tomás


Celejar

Reply to:

Follow-Ups:
- Re: Anti-malware for my personal Debian workstation?
  - From: <tomas@tuxteam.de>

References:
- Re: Anti-malware for my personal Debian workstation?
  - From: l0f4r0@tuta.io
- Re: Anti-malware for my personal Debian workstation?
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: Anti-malware for my personal Debian workstation?
  - From: <tomas@tuxteam.de>
- Re: Anti-malware for my personal Debian workstation?
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: Anti-malware for my personal Debian workstation?
  - From: Celejar <celejar@gmail.com>
- Re: Anti-malware for my personal Debian workstation?
  - From: <tomas@tuxteam.de>

Prev by Date: Re: DOH (was: geolocation services disabled and Gnome maps)
Next by Date: Re: Anti-malware for my personal Debian workstation?
Previous by thread: Re: Anti-malware for my personal Debian workstation?
Next by thread: Re: Anti-malware for my personal Debian workstation?
Index(es):
- Date
- Thread