Comment by craftkiller

Comment by craftkiller 6 hours ago

2 replies

View on Hacker News

Thats like not wearing a seatbelt because you can still be crushed by a truck. Don't let perfect be the enemy of good. Package managers prevent some attacks that are possible via curl | sh. Some other attacks are still possible. It is still better than not cryptographically verifying the package.

dylan604 5 hours ago

That's like moving the goal posts so you can still try to have a point after the fact. Your comment suggested that package manager was secure while curl | sh isn't because the package manager won't have a valid signature. That's only if the package manager was compromised. A code package that is built to be malicious will still get signed by your manager. Only now, people think they are secure because it was signed.

Reply View 1 reply
  • bugtodiffer an hour ago

    Couldn't I just publish a package? Then there's malware on the package manager wohooo

    Reply View 0 replies