[Nix-dev] Malicious installation methods
Vladimír Čunát
vcunat at gmail.com
Sun Jun 19 12:27:57 CEST 2016
On 06/19/2016 11:44 AM, Yui Hirasawa wrote:
> If you sign the script and it contains say sha512sums for the things it
> pulls you don't have to sign them separately. It's similiar to how many
> distributions only distribute one file with all the sums that is signed.
I don't think there's no easy way for the user to verify such sums, as
they would be over large file trees. (Nix would do that but at this
point they don't have/trust it yet.)
Perhaps if we built one big self-extracting script and signed it... if
you'd like to implement that ;-)
--Vladimir
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3771 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160619/096910d6/attachment.p7s>
More information about the nix-dev
mailing list