[Nix-dev] Malicious installation methods

zimbatm zimbatm at zimbatm.com
Fri Jun 17 16:12:17 CEST 2016


Pretty good SSL: https://www.ssllabs.com/ssltest/analyze.html?d=nixos.org

I wonder if something like this would be better perceived:

sudo mkdir /nix
curl https://nixos.org/$(arch)nix.tar.gz | sudo tar -C /nix xvfsudo
/nix/post-install

Or I wonder if there was a universal script that would wrap that pattern,
if it would generate less heat:

#!/bin/sh## Usage: curl-install <url> <sha256>#fail() {
  echo "$*" >&2
  exit 1
}if [ #@ -lt 2 ]; then
  abort "missing arguments"fi

url=$1
sha256=$2

script_path=$(mktemp)
curl -o "$script_path" "$url"if [ "$sha256" != $(sha256sum
"$script_path") ]; then
  abort "Checksum don't match"fi
chmod +x "$script_path"exec $script_path

​

On Fri, 17 Jun 2016 at 14:58 Yui Hirasawa <yui at cock.li> wrote:

> > Like already said before, detecting if a user run a curl-pipe-bash and
> > injecting a malicious binary on the fly is rather trivial to do compared
> > to compromise the nixos website itself, and create a phising to fake
> > both the tarball and the displayed hash.
>
> Hash would only ensure that there is no corruption en route, but we
> already have that since most TLS ciphersuites are authenticated... gotta
> check nixos.org ciphersuites.
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160617/c6b82d79/attachment-0001.html>


More information about the nix-dev mailing list