[chc]

I don't see how comparing an install script you get from somebody with a hash you get from that same somebody gains you an appreciable amount of security. If their server is compromised, you can't trust the hash either. Basically, what you need is a source of trust external to the transaction. If that isn't available and you aren't going to manually review everything, I don't see how this is meaningfully different.

[ajross]

It doesn't give you "perfect" authentication (because nothing does, that's the why the whole root of trust issue is so difficult), but to argue that it isn't appreciably different than literally running the output of curl is just silly.

If I don't trust the hash value I got from the Fedora web site I can ask Google. I can check it vs. the mirrors. I can ask my friend who installed it already to see if it matches her file. I can check the signature on the hash to make sure it matches the key I have stored from my existing install (or the one before that, etc...). That's not perfect but at least it's something.

[chc]

Yes, but I'm talking about the case where you do trust the hash value just like people who use this method trust rust-lang.org. If you don't trust this software, you could download it and get a hash from somebody you trust as well — in neither case are you forced to do it the easier and less secure way. Obviously a quick install process where you trust the source will be less secure than a laborious process where you carefully inspect the code or obtain and verify multiple hashes via sneakernet. But I'm not convinced that the "secure" easy path where you get a file from somebody and a hash/key from the same source, see that the two match and then run the file is actually more secure in any meaningful way than piping curl into sh. The difference seems to be more in the user's level of caution — this method just lays what you're doing bare rather than burying it under layers of indirection.

[ajross]

But... you can't get a hash from somebody you trust with this scheme. The script downloads and runs and throws itself away with no attempt made to authenticate anything (well, I guess there's the TLS cert as it's a https url -- that's something at least).

Or if it's there somewhere I don't see it. Where it it?

[chc]

The point is that if you're paranoid, you won't pipe curl into sh just like you won't blindly trust an unauthenticated hash. There is nothing stopping you from putting more effort into installing this software just like there's nothing stopping you from putting more effort into installing an apt package of questionable provenance.

[leo_santagada]

you can also read the bash script before running it... and it is infinitely more secure than just trusting a hash as your friend and the mirrors can be compromised without you being able to notice (and it has happen before).

[ajross]

Er, huh? You're mixing two arguments here. You're talking about the difficulty of authenticating the root of trust (very hard) and trying to use it to address the issue of installing authenticated software (a long-solved problem).

I'm aware of no situations where linux distro mirrors have been compromised with code that will install on live systems. Again, the key is set up on the clients at install time, you can't drop compromised software on them via package install without stealing the signing keys.

The whole point here is that the "run the shell script off hte web" skips the whole root-of-trust issue, and suffers for it. It must stop, guys.