[Nix-dev] Malicious installation methods

Yui Hirasawa yui at cock.li
Fri Jun 17 20:01:19 CEST 2016


>>> I ask the members of the list to point to a software project that is
>>> doing this
>>
>> Any software project that is telling the user to install the software
>> using the package manager of their distribution. Pretty much all package
>> managers verify signatures and they are really convenient for the user,
>> even more convenient than the curl | sh method since the user doesn't
>> have to go to the project's website to find out what exactly they are
>> supposed to curl and what are they supposed to pipe it to and as which
>> user it should be done as.
>
> True, of course. But, there is a class of software projects which will
> likely never be "packaged" by package managers - namely, other package
> managers. Nix falls into this class, along with, for example, NPM,
> Brew, Oh-My-Zsh, and others.

What reason would there to not package other package managers?

Quick search on Parabola tells me that there are at least a few package
managers that are packaged for it. Also cpan is included in the perl
package.

npm, pip, dub, nuget, cargo, bower, nimble, shards

> I wonder whether there are other software projects *in this class*
> which are easy and secure to install?

The ones above.

There is no reason to not package your package manager other than
laziness and desire to not have adoption. Especially Nix and Guix are
package managers that would make a lot of sense to package for other
distributions to make the adoption easier.


More information about the nix-dev mailing list