|
|
|
|
|
|
by KaiserPro
22 days ago
|
|
|
To just hammer that home: each package is signed by the person who packages it. That means that if you are pulling from a random place, you can be reasonably sure its the same package because the keys verify. As pointed out piping curl to bash is problematic. Sure you can go to a browser and check the output, but one of the more fun hacks is detecting if curl pipeing to bash server side and dynamically re-writing the script during serving. tldr:
So long as the package keys are verifiable, you can download a packge from a random mirror and be reasonably sure that it came from who it says it did. Curl you have no hope, and its possible to infer during execution that you are piping to bash. |
|
|
Who's downloading packages from untrusted sources but somehow have a trusted way to get the signing key? Say you want to install claude code and not use the `curl ... | bash` install method. Good thing claude provides instructions for installing via apt[1]! But what do those instructions tell you to do? It tells you to download a key from downloads.claude.ai, then add the same domain to your apt sources list. So at the end of the day, you're still trusting that downloads.claude.ai hasn't been compromised.
[1] https://code.claude.com/docs/en/setup#install-with-linux-pac...