[clug] How you know your Free or Open Source Software Project is doomed to FAIL

Alex Satrapa grail at goldweb.com.au
Wed Jul 29 22:16:24 UTC 2015


On 30 Jul 2015, at 02:43, James Ring <sjr at jdns.org> wrote:
> 
> If you trust the site and you get the bytes via SSL and the
> certificate checks out, how is this different from downloading and
> running some binary from, say, Debian archives?

The stuff you fetch from Debian binary archives is signed, so you know it wasn’t corrupted en-route.

If you download the script using CURL or Wget and actually look at it to make sure it seems legit (not many of us will be able to read through and tell that it is 100% legit), then it’s safe(r) to run. Even better, the site could ship the code as a tarball with a published MD5/SHA1 checksum (or whatever the cool kids are using these days).

Blindly downloading, especially with instructions that suggest ignoring SSL certificate errors, will lead to MITM attacks. It’s like the 3 second gap when you’re driving: you don’t *expect* things to go wrong, but at least you’re better prepared for when they do.

Alex

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.samba.org/pipermail/linux/attachments/20150730/15efbcfa/signature.sig>


More information about the linux mailing list