[Nix-dev] Malicious installation methods

Yui Hirasawa yui at cock.li
Fri Jun 17 15:54:51 CEST 2016


>> But without even considering that, "curl-pipe-bash" will cause your
>> sysadmin to blow a fuse or heartbreak in most companies / environments.
>> And for very good reasons.
>
> That is not very different from a "make install" of a downloaded tarball,
> though. :)

The fact that when you build from a source tarball you actually have a
chance to verify it's contents and tarballs can be signed. Webpages that
are piped straight into an interpreter cannot be signed.


More information about the nix-dev mailing list