Hacker News new | ask | show | jobs
by Eeems 1730 days ago
I know I reacted hard to this statement:

> Going further down the rabbit hole, the toltec GitHub page mentions that it works on top of the Entware distribution, and recommends what is basically “wget | bash”. I’m not a fan of this. Could I install my own rsync?

We made sure that the toltec install process includes a hash of the install script to prove that it isn't modified by a man-in-the-middle. Toltec itself requires the use of SSL to connect after the fact, which lowers the risk after it's been installed. We are also exploring the implications of adding package signing[0].

0. https://github.com/toltec-dev/build/issues/14
2 comments
greenhathacker 1730 days ago
I made the mistake in that post of not mentioning that I didn't want to be required to connect the rm2 to wifi, and installing a package manager would mean I would need to do that to install software. If anything it would be something I would temporarily install, use it to install rsync, then figure out how to uninstall it, and in my mind that's functionally equivalent to what I was doing with docker. Pushing to / instead of /opt was my mistake :)

I apologize, I could have better expressed why I took the path I did. I'll edit the post later today.

link
Eeems 1729 days ago
That makes a lot more sense. you can always just install initially and then use opkg to install local packages you scp across in the future as well: `opkg install path/to/package.ipk`

another option would be to just grab the files from the package itself and extract them to the device, and then manually run the install script steps as required. They are basically just gz tarballs.

link
Eeems 1729 days ago
For anybody wanting more context on the ipk format: https://github.com/toltec-dev/toltec/blob/stable/docs/opkg.m...
link
kayodelycaon 1730 days ago
Ah! Now that approach makes a lot more sense. Any particular reason to avoid putting it on a WiFi network for a few minutes?
link
tjoff 1730 days ago
> We made sure that the toltec install process includes a hash of the install script to prove that it isn't modified by a man-in-the-middle.

A bit late for that, no?

Maybe I misunderstood but the modified version could do it's thing and then download the official script to fool that check.

Or pretty much anything else imaginable.

link
Eeems 1730 days ago
I guess you haven't looked at our install instructions[0]. The hash check is done before running the script. You can't run the script if it doesn't match unless you choose to just run it manually and ignore the check.

0. https://toltec-dev.org/

link
tjoff 1730 days ago
I have not. Just responding to the information that was available in this thread.

But that is better!

link
kayodelycaon 1730 days ago
The bash script is fairly easy to download and verify before running it. It’s only 200 lines with a few functions and if statements.
link
tjoff 1730 days ago
Yes, but the whole antipattern of wget | bash is that you don't encourage that sort of scrutiny.
link