Comment by craftkiller

Comment by craftkiller 10 months ago

6 replies

View on Hacker News

No it isn't. Package managers verify the cryptographically signed package. That means the package can be built on a secure server, and then if a mirror becomes malicious or gets compromised, the malicious package won't have a valid signature so the package will not be installed. Running curl and piping it into sh means that not only could a malicious mirror or compromised server execute anything they want on your computer, but they could even send a different script when you curl it into sh vs when you view it any other way, making it much harder to detect[0].

[0] https://web.archive.org/web/20240213030202/https://www.idont...

dylan604 10 months ago

I think the npm repos would like to have a word with you. Sure glad we've never had a cryptographically signed malicious package delivered via npm install

Reply View 4 replies
  • craftkiller 10 months ago

    Thats like not wearing a seatbelt because you can still be crushed by a truck. Don't let perfect be the enemy of good. Package managers prevent some attacks that are possible via curl | sh. Some other attacks are still possible. It is still better than not cryptographically verifying the package.

    Reply View 3 replies
    • dylan604 10 months ago

      That's like moving the goal posts so you can still try to have a point after the fact. Your comment suggested that package manager was secure while curl | sh isn't because the package manager won't have a valid signature. That's only if the package manager was compromised. A code package that is built to be malicious will still get signed by your manager. Only now, people think they are secure because it was signed.

      Reply View 2 replies
      • craftkiller 10 months ago

        No it wasn't. The comment I replied to claimed:

        > This is no different from installing a random package through a package manager

        I replied "No it isn't" in response to that, so I was claiming that a package manager was different (in terms of security) from doing curl | sh.

        My comment then went on to explain specific attacks (a mirror being compromised) which are solved by package managers / cryptographic signatures.

        At no point did I ever claim package managers were immune to all attacks. A compromised build server, leaked keys, or the upstream program thats being packaged being malicious are all still possible.

        Its very simple, my Arch Linux install is pointed at the MIT mirrors. What is stopping the Massachusetts Institute of Technology from replacing my next firefox update with a virus? Cryptographic signatures. They don't have an Arch Linux signing key. What would be stopping them if I installed firefox by doing curl | sh? Nothing.

        Reply View 0 replies
      • bugtodiffer 10 months ago

        Couldn't I just publish a package? Then there's malware on the package manager wohooo

        Reply View 0 replies
_hyn3 10 months ago

The tremendous number of attacks delivered via trusted package repos versus the number of widespread attacks via curl | sh (probably roughly zero) means that, theories aside, one of these is far more commonly abused than the other.

Reply View 0 replies