Comment by craftkiller 10 months ago
Thats like not wearing a seatbelt because you can still be crushed by a truck. Don't let perfect be the enemy of good. Package managers prevent some attacks that are possible via curl | sh. Some other attacks are still possible. It is still better than not cryptographically verifying the package.
No it wasn't. The comment I replied to claimed:
> This is no different from installing a random package through a package manager
I replied "No it isn't" in response to that, so I was claiming that a package manager was different (in terms of security) from doing curl | sh.
My comment then went on to explain specific attacks (a mirror being compromised) which are solved by package managers / cryptographic signatures.
At no point did I ever claim package managers were immune to all attacks. A compromised build server, leaked keys, or the upstream program thats being packaged being malicious are all still possible.
Its very simple, my Arch Linux install is pointed at the MIT mirrors. What is stopping the Massachusetts Institute of Technology from replacing my next firefox update with a virus? Cryptographic signatures. They don't have an Arch Linux signing key. What would be stopping them if I installed firefox by doing curl | sh? Nothing.
Couldn't I just publish a package? Then there's malware on the package manager wohooo
That's like moving the goal posts so you can still try to have a point after the fact. Your comment suggested that package manager was secure while curl | sh isn't because the package manager won't have a valid signature. That's only if the package manager was compromised. A code package that is built to be malicious will still get signed by your manager. Only now, people think they are secure because it was signed.