undefined | Better HN

0 pointsBeefWellington3y ago0 comments

There's quite a bit wrong with this idea that "It's using SSL [therefore it's safe]", assuming your meaning there.

The most obvious case: someone compromises the installation script on the actual real deno server. Right now the webserver there is returning an HTTP/307 to an HTTP/302 to the "current" installation script file. Any compromise of the webserver makes this very dangerous.

Contrast that with proper signed packages, code signed sources, etc. There it requires compromise of the developer's systems and signing keys, which at least can be a far harder thing to attack if they're doing things securely.

0 comments

systemvoltage3y ago

I think this is a fair criticism and deserves attention. Whenever anything shiny comes around, we are too enamored by it to not allow any criticism.

Is there a reason Deno is not packaged as a repo in official apt, deb, yum, etc repositories?

dimitrios13y ago

And in this hypothetical scenario, how does that protect against the aforementioned attack? If one of deno's hosting sites can be attacked to upload a malicious script, one of the package registries can also be attacked and upload a malicious package.

__ryan__3y ago

This makes sense. But how do I as a basic user make sure the signature is correct and definitely from Deno? Couldn’t a hacker sign it with their own signature?

j / k navigate · click thread line to collapse