Comment by cjbprime
7 years ago
We're comparing the security properties of
`curl https://somesite.com/foo.sh | bash`
with
`curl https://somesite.com/foo.deb`
and
`curl https://somesite.com/apt.key | sudo apt-key add - && sudo apt-get update && sudo apt-get install some-software`
I don't think there are very meaningful differences in the security properties -- I don't think it's more difficult to become compromised by one than by one of the others.
No, you're deliberately choosing a bad way to get a key to try to prove your point. You shouldn't be fetching a key from the site that might be compromised.
> You shouldn't be fetching a key from the site that might be compromised.
You shouldn't, but people do, and are being directed to do so increasingly as Linux becomes more popular. Software developers want to be software publishers so bad that they're just going to keep pushing, and therein lies the risk: If people get the impression that packages are somehow more secure than shell scripts, then these kinds of attacks will simply become more prevalent.
To you it's obvious that packages aren't more secure, it's how you get them that makes their normal use more secure. That's apparently too subtle a point for even big companies like Microsoft.
https://pydio.com/en/docs/v8/ed-debianubuntu-systems
https://docs.docker.com/install/linux/docker-ce/ubuntu/#inst...
https://www.spotify.com/uk/download/linux/
https://www.elastic.co/guide/en/apm/server/current/setup-rep...
https://ring.cx/en/download/gnu-linux
http://docs.grafana.org/installation/debian/
https://support.plex.tv/articles/235974187-enable-repository...
https://stack-of-tasks.github.io/pinocchio/download.html
http://download.mantidproject.org/ubuntu.html
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli... (!!!)
I've always said the same, but what's the solution here?
1 reply →
No, there's no effective difference between those examples, apart from maybe post mortem analysis. It's also a poor method of key discovery, as hueving said.