On Sun, 12 Apr 2020 17:41:54 +0200 <to...@tuxteam.de> wrote: > On Sun, Apr 12, 2020 at 10:41:12AM -0400, Celejar wrote: > > On Sun, 12 Apr 2020 11:37:24 +0300 > > Andrei POPESCU <andreimpope...@gmail.com> wrote: > > > > > On Du, 12 apr 20, 09:17:18, to...@tuxteam.de wrote: > > > > On Sun, Apr 12, 2020 at 09:52:50AM +0300, Andrei POPESCU wrote: > > [...] > > > Interesting discussion. I've looked quickly at the other side [1], > > however, and there seem to be serious people and arguments in that > > direction as well. Are they so obviously wrong? [The objection Andrei > > notes here is specifically countered by the "curl | bash" defenders, > > although even I can see that the counter is not as strong as the > > objection.] > > > > [1] > > https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install > > https://news.ycombinator.com/item?id=12766049 > > It boils down to whom you trust. Actually the sandstorm page is > a bit too much marketing-ish for my taste: > > "Some of the objectors, though, go a bit further: They claim > that curl|bash is more open to attack that other distribution > mechanisms [...] > > Of course, all content served by sandstorm.io – from software > downloads to our blog – is served strictly over HTTPS [...]" > > They are mixing up the chain of trust up to the distributor (package > signing) with the transport secutity (HTTPS). Why? > > Remember that nice npm event-stream messup [1]? That's the dark > side of "iterate faster". > > Trust is a complex beast. At its bottom it can't be completely > rational, but usually you trust a community because you somehow > think you understand how it works and you trust the information > chain linking you to that community.
Exactly. So if I trust the Sandstorm community (for example - I know nothing about them), then I'm not sure that there's any particularly great risk in installing their product via "curl | bash", and if I don't trust them, I shouldn't install their product via any other mechanism either. > Cheers > [1] https://lwn.net/Articles/773121/ > -- tomás Celejar
