Hacker News new | ask | show | jobs
by sarciszewski2 4003 days ago
> What do you want them to do?

I want them to not use a one-liner. Step-by-step:

1. Download the files

2. Download the public key

2a. verify the public key if you've never seen it before (publish in the blockchain, have lots of high profile technologists sign it, etc)

3. If the verification matches, then proceed.

Teaching developers to value "clever one-liner hack" over "secure, dependable solution" will lead to bad habits.
1 comments
logicallee 4003 days ago
if you're going to include "2a" you can refactor all of your steps into:

1. Google "meteor.com compromised" and decide whether it's currently compromised. If it isn't:

2. Run curl https://install.meteor.com|sh

It saves a few steps and is equally secure - you know, since you're just going to go based on what other people think and include no programmatic check whatsoever. (your 2a).

link
sarciszewski2 4003 days ago
2a can be swapped out for a better PKI system at any time. Relying on whether it's public knowledge that Meteor is compromised or not is not nearly as resilient.
link
logicallee 4003 days ago
so swap it out for a better PKI system. There is literally nothing in any of your steps that can't be automated, except for the totally nebulous 2a "publish in the blockchain, have lots of high profile technologists sign it" which 9/10 people are not qualified to judge.

There is no reason you couldn't automate your whole suggestion, except for that one, which makes it infeasible and open to all manner of social engineering.

link