Comment by Hamuko
3 days ago
I don't understand how the tap trust improves security at all. If I'm installing something from a third-party tap, instead of running tap + install, I now run tap + trust + install? How does this protect me against compromised taps?
You can now trust individual files inside taps. It was not clear to all users before now that some commands (before —-eval-all, a mess this replaces) would evaluate all packages Ruby code from all taps). This cleans that up and some other security degrading edge cases I won’t bore you with here.
Trust is also user specific now.
It’s not a silver bullet but it does help address some potential attacks and gives us a foundation to improve on over time.
Exactly - so far seems like a windows vista “are you sure?” Modal. Are we missing something here?