[clug] How you know your Free or Open Source Software Project is doomed to FAIL
csirac2 at gmail.com
Thu Jul 30 01:58:58 UTC 2015
On 30 July 2015 at 11:51, Michael Cohen <scudette at gmail.com> wrote:
> Am 29.07.2015 18:32 schrieb "Paul Harvey" <csirac2 at gmail.com>:
>> I suppose what you're getting at is that https makes no guarantees
>> about the original code you're trying to download: the original code
>> may itself be hostile, and so no amount of transport layer security
>> will change anything.
> No I was specifically commenting about the claim that having an install
> process which curls a URL and pipes it to shell as a horrible idea. My point
> is that it is not better or worse than any other installation method - the
> weak point is the HTTPS transport or lack of. There is nothing specially bad
> about bash.
Ah, apologies. Of course. I suppose piping the internet directly into
a bash might be considered by some to be a pretty direct way to get a
remote shell, but then again practically speaking if an attacker has
that position already there's not much to stop them doing the same by
adding some remote access trojan to an executable.
More information about the linux