[clug] How you know your Free or Open Source Software Project is doomed to FAIL

Michael Cohen scudette at gmail.com
Thu Jul 30 06:53:37 UTC 2015


Am 29.07.2015 23:24 schrieb "Alex Satrapa" <grail at goldweb.com.au>:
> It won’t be Google that publishes the bad script. By definition the actor
in the “Man in the Middle” attack is neither end of a presumably two-way
conversation.
>
> You *think* you’ve connected to Google, but the attacker poisoned your
DNS so you’re actually connected to g00gle, and the script you’re piping
into shell sets up a rootkit rather than an Internet cat picture archive.

This does not make any sense. You are talking about mitm of http
connections but that is the same threat whether you use a shell script or
any other installer. The hall of shame site that a previous poster has
referenced is just plain wrong on many cases. At least all the cases that
use wget and curl to a HTTPS URL are as secure as any other distribution
method (eg an MSI installer). Of course it is assumed that wget and curl
implement sane cert verification which was not always the case but I think
these days the distros are better. In fact it may be even more transparent
than an MSI since it's so easy to just look at the script you are about to
run if you want. It's much harder to verify what an MSI or exe is going to
do.

I actually think that piping a curl HTTPS URL into bash is a better way for
making a simple installer than alternatives. Realistically what is the
alternative? You can tell the user to download the shell script, look at it
and then run it. Those users than grok bash will already know to do this if
they care and those users that don't can't spot a malicious script anyway.
So this does not buy you anything. You can distribute a deb file and serve
it over HTTPS and that's the same thing. If you have a ppa then maybe you
can use pgp keys as described but that only proves that you published it
not that it's not malicious.

>
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>


More information about the linux mailing list