Hacker News new | ask | show | jobs
by kibwen 1274 days ago
> now you have to trust two things rather than one

No, you're still trusting one thing: the host itself. You're downloading both the script and the binary from the host. Both could be backdoored, and of the two, the binary is far easier to hide a backdoor in.

As for not trusting curl, you still need to fetch the resource somehow, so you're going to be trusting some tool to do it for you. That's not relevant to increasing the attack surface.
2 comments
mhoad 1274 days ago
I’m not actually in the Rust ecosystem at all and only just discovered the domain belongs to the official Rust project.

That clearly changes the trust calculation in this scenario.

I had assumed it was some 3rd party project which would have put it in a different category of problems entirely.

But the entire conversation is kind of pointless then. “There is a secret backdoor in the official Rust binary” is not a useful part of any reasonable threat model.

link
Someone 1274 days ago
> You're downloading both the script and the binary from the host.

Technically, if you don’t read the script, you don’t know the binary is from the same host.

That doesn’t matter, though. The chain of trust is deep, including the tooling that produced the binary, your CPU, the internet, etc.

Downloading the first file basically says “I trust this site to give me this tool and nothing else”. Where it then gets that stuff from shouldn’t matter, even if it is from a shady site. You trusted them not to do that, just as you trusted them not to open up their own site so that hackers can replace files ont it.

link