[Nix-dev] Malicious installation methods
Yui Hirasawa
yui at cock.li
Fri Jun 17 13:12:57 CEST 2016
I recently noticed that you recommend very malicious installation
methods on your download page for nix[1]
Retrieving code straight from the internet and blindly executing is
never a good thing and you don't give any sort of recommendation for the
user to inspect the script before running it. This completely defeats
the point of having reproducible builds when your system can be
completely infected when you install the package manager. This also
means that anything installed through the package manager is potentially
malicious as well.
> $ curl https://nixos.org/nix/install | sh
And this isn't made any better by the fact that you want users to run
the script blindly as the superuser.
> This script requires that you have sudo access to root,
I ask you to PLEASE remove this installation method from the
recommendations on the page because it makes it look like you don't care
about computer secuirty one bit.
PS. There are ways of detecthing when something is piped straight to an
interpreter and thus even if someone did curl and read the output and
then curled into a shell they could still get infected as serving
different pages depending on the circumstances isn't all that difficult.
[1]: https://nixos.org/nix/download.html
More information about the nix-dev
mailing list