[Nix-dev] Malicious installation methods

Yui Hirasawa yui at cock.li
Fri Jun 17 15:58:34 CEST 2016


> Like already said before, detecting if a user run a curl-pipe-bash and
> injecting a malicious binary on the fly is rather trivial to do compared
> to compromise the nixos website itself, and create a phising to fake
> both the tarball and the displayed hash.

Hash would only ensure that there is no corruption en route, but we
already have that since most TLS ciphersuites are authenticated... gotta
check nixos.org ciphersuites.


More information about the nix-dev mailing list