|
|
|
|
|
|
by gruez
10 days ago
|
|
|
>each package is signed by the person who packages it. That means that if you are pulling from a random place, you can be reasonably sure its the same package because the keys verify. Who's downloading packages from untrusted sources but somehow have a trusted way to get the signing key? Say you want to install claude code and not use the `curl ... | bash` install method. Good thing claude provides instructions for installing via apt[1]! But what do those instructions tell you to do? It tells you to download a key from downloads.claude.ai, then add the same domain to your apt sources list. So at the end of the day, you're still trusting that downloads.claude.ai hasn't been compromised. [1] https://code.claude.com/docs/en/setup#install-with-linux-pac... |
|
|