Hacker News new | ask | show | jobs
by gavinuhma 1325 days ago
That’s right. The checksum shouldn’t be provided by the site. I’m producing the checksum myself after reviewing the install scripts manually. Once I produce the checksum I can keep relying on it. The install scripts don’t tend to change very often.
2 comments
IshKebab 1324 days ago
That makes some kind of sense. The original post makes you sound like you're one of those crazy people who thinks e.g. Flatpak is fine but curl | bash is horribly insecure.

However I'm still not sure it really makes sense. Do you also manually review the code of the binaries that the bash scripts download?

link
jwong_ 1325 days ago
so you’re storing the checksums locally for each script then?

is that much different than just storing the verified copies of the scripts?

link
gavinuhma 1325 days ago
Storing them in the readme which others can use as well. I jump around to new machines a lot so I can reference checksum.sh if I want to install rust for example
link
jwong_ 1325 days ago
Makes sense, congrats on shipping!
link