undefined | Better HN

0 pointsearthnail8mo ago0 comments

Because untrustworthy websites can piggyback on the brand name.

"Download ffmpeg here: sudo bash -c ..."

And then the installation script from our malicious site installs ffmpeg just fine, plus some stuff you have no idea about. And you never know that you've just been hacked.

0 comments

2 comments · 2 top-level

dns_snek8mo ago

Can you repeat this mental exercise for every other installation method you can think of? e.g. distributing deb/rpm files, distributing AppImages, asking users to add your custom repository and signing key?

(Yes I know that the last one has built-in benefits for automatic updates but that's not going to protect you on initial installation and its benefits can be replicated in a more portable way in any other auto-update mechanism with a similar amount of effort)

((And if you have the patience to set up a custom repository, you can simplify initial installation process using a "curl|bash" script))

QuantumNomad_8mo ago

If you get your install instructions from an untrustworthy website, there’s nothing preventing them from telling you to use a third-party apt repository or ppa that gives you a malicious version of the thing.

There’s not really a difference between curl piped to bash, and installing packages from a third-party package repository that the distro maintainers have no involvement in with.

j / k navigate · click thread line to collapse