|
|
|
|
|
|
by e12e
4284 days ago
|
|
|
I'd say apply the same level of scrutiny as you would other code, such as the code that your distribution allows you to install. That means: 1) Find a source you trust (nominally)
2) Get a gpg-key that you trust belong to that user
3) Get the install.sh script
4) Get the matching gpg signature (install.sh.asc)
5) Verify that 4) is a valid signature of 3) under 2)
6) Have a look at the script
7) Run the script
If you can't establish 2), you'll just have to stick to 3) 6) and 7).Seeing that something is on a https site, just means someone had the access to put it there. If someone got access to the private key behind 2) -- 1) is probably so compromised that there isn't anything other than 6) that might protect you -- and if the script is truly malicious (as opposed to just your average botched bash script) -- it's not guaranteed that it's obviously malicious. Anyway, a gpg signature links some distributable the author has verified all the way back to wherever that file was authored -- while https only anchors trust on the web server. Web servers get compromised all the time. Prefer a proper signature as a means to anchor trust ("yes, this is probably what X wanted to distribute. If you trust X, this is probably OK"). A https signature just means: "This is something someone/anyone managed to upload to this web server". |
|
|