|
|
|
|
|
|
by phaer
2497 days ago
|
|
|
> Deb packages have cryptographic signatures that can be verified to confirm it actually came from nodesource (or whoever) And how do you get the GPG key to verify such signatures from third-parties? Usually via https from their website, no? > Also, you can detect the curl|bash installation method server-side and serve different content Yes, but you are supposed to trust people you get you packages from not to do it. And so and it should only make a difference if their servers are compromised and they sign packages with a key stored offline. I think the latter is much less common then one would hope, with release processes in CI and such. |
|
|