[Nix-dev] Malicious installation methods
Robin Bate Boerop
me at robinbb.com
Fri Jun 17 19:33:15 CEST 2016
On 17 June 2016 at 11:42, Yui Hirasawa <yui at cock.li> wrote:
>> I ask the members of the list to point to a software project that is
>> doing this
>
> Any software project that is telling the user to install the software
> using the package manager of their distribution. Pretty much all package
> managers verify signatures and they are really convenient for the user,
> even more convenient than the curl | sh method since the user doesn't
> have to go to the project's website to find out what exactly they are
> supposed to curl and what are they supposed to pipe it to and as which
> user it should be done as.
True, of course. But, there is a class of software projects which will
likely never be "packaged" by package managers - namely, other package
managers. Nix falls into this class, along with, for example, NPM,
Brew, Oh-My-Zsh, and others.
I wonder whether there are other software projects *in this class*
which are easy and secure to install?
More information about the nix-dev
mailing list