[Nix-dev] Malicious installation methods
Profpatsch
mail at profpatsch.de
Sun Jun 19 09:08:14 CEST 2016
On 16-06-18 11:46pm, Bardur Arantsson wrote:
> On 06/18/2016 11:18 PM, Profpatsch wrote:
> >
> > The script approach is not very bad. Maybe sign it with gpg for people
> > who want to verify it.
> >
>
> Have you been following along on the thread at all? Signing the
> installer script does very little[1] unless the bits it fetches are
> themselves also signed (GPG style) and verified by the script.
>
> nothing, but what you really want is signing of everything in the trust
> chain.
Hydra already signs packages. I’m not sure if that’s easily verifiable
by hand, though.
The script itself could contain a `gpg …` line to verify the binary blob,
not sure how much sense that makes.
--
Proudly written in Mutt with Vim on NixOS.
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
May take up to five days to read your message. If it’s urgent, call me.
More information about the nix-dev
mailing list