[Nix-dev] Malicious installation methods

Kevin Cox kevincox at kevincox.ca
Fri Jun 17 14:22:33 CEST 2016


On 17/06/16 07:59, Azul wrote:
> simple as that,
> just don't do it.
> 
> https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
> 

While this is interesting research I find that it is often irrelevant
because you are trusting the server anyways. So if you trust the server
enough to run it's software as root you should trust it enough not to
swap out the file on you.

If you are paranoid curl the script and follow the steps manually.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160617/099881c9/attachment.sig>


More information about the nix-dev mailing list