[clug] How you know your Free or Open Source Software Project is doomed to FAIL

Michael Cohen scudette at gmail.com
Thu Jul 30 01:51:47 UTC 2015


Am 29.07.2015 18:32 schrieb "Paul Harvey" <csirac2 at gmail.com>:
> I suppose what you're getting at is that https makes no guarantees
> about the original code you're trying to download: the original code
> may itself be hostile, and so no amount of transport layer security
> will change anything.

No I was specifically commenting about the claim that having an install
process which curls a URL and pipes it to shell as a horrible idea. My
point is that it is not better or worse than any other installation method
- the weak point is the HTTPS transport or lack of. There is nothing
specially bad about bash.

> But this ignores problems at the connection/network transport layer.
> Which is not incompatible with the fact that most Linux distros still
> rely on plain http mirrors (so as not to break proxy caches); but they
> still have PGP and friends to validate delivered files.

So this is a better system, the installer has out of band verification
(pgp) to validate packages outside HTTPS (do use of http is OK). Mind you
most users will just allow when apt says that it can't verify the signature.

> Surely https, warts and all, allows for at least slightly better
> hygiene than blind faith in your physical network and http.

Totally agree!


More information about the linux mailing list