[Nix-dev] Malicious installation methods

Yui Hirasawa yui at cock.li
Fri Jun 17 16:42:50 CEST 2016


> I ask the members of the list to point to a software project that is
> doing this

Any software project that is telling the user to install the software
using the package manager of their distribution. Pretty much all package
managers verify signatures and they are really convenient for the user,
even more convenient than the curl | sh method since the user doesn't
have to go to the project's website to find out what exactly they are
supposed to curl and what are they supposed to pipe it to and as which
user it should be done as.

> (providing secure and easy installation)

Security is a trade-off with convenience. You have to sacrifice a bit of
one to get the other. Giving user the steps to verify the script is a
very small hit on the usability and convenience but very significant
increase for security.

> This is not a rhetorical question meant to point out that no project
> does this well. I really just don't know of one.

Anything that tells the user to just install their software with a
package manager is doing it. So, pip, cpan etc. are all better than you
in this regard.


More information about the nix-dev mailing list