[mhoad]

I get what you are trying to say here but I could also make the argument that you actually doubled it because now you have to trust two things rather than one.

Depending on how you want to consider trust in a wider sense too it may even be worse than “double” because I do not have the same amount of trust for the package I am ultimately installing and the script I am using to install it.

Edit: it’s actually 3 things you need to trust I didn’t include curl itself which just released a security audit that found a number of vulnerabilities here https://daniel.haxx.se/blog/2022/12/21/the-2022-curl-securit...

…security is often harder than it looks.

[kibwen]

> now you have to trust two things rather than one

No, you're still trusting one thing: the host itself. You're downloading both the script and the binary from the host. Both could be backdoored, and of the two, the binary is far easier to hide a backdoor in.

As for not trusting curl, you still need to fetch the resource somehow, so you're going to be trusting some tool to do it for you. That's not relevant to increasing the attack surface.

[mhoad]

I’m not actually in the Rust ecosystem at all and only just discovered the domain belongs to the official Rust project.

That clearly changes the trust calculation in this scenario.

I had assumed it was some 3rd party project which would have put it in a different category of problems entirely.

But the entire conversation is kind of pointless then. “There is a secret backdoor in the official Rust binary” is not a useful part of any reasonable threat model.

[Someone]

> You're downloading both the script and the binary from the host.

Technically, if you don’t read the script, you don’t know the binary is from the same host.

That doesn’t matter, though. The chain of trust is deep, including the tooling that produced the binary, your CPU, the internet, etc.

Downloading the first file basically says “I trust this site to give me this tool and nothing else”. Where it then gets that stuff from shouldn’t matter, even if it is from a shady site. You trusted them not to do that, just as you trusted them not to open up their own site so that hackers can replace files ont it.