Comment by dylan604

Comment by dylan604 5 hours ago

1 reply

View on Hacker News

That's like moving the goal posts so you can still try to have a point after the fact. Your comment suggested that package manager was secure while curl | sh isn't because the package manager won't have a valid signature. That's only if the package manager was compromised. A code package that is built to be malicious will still get signed by your manager. Only now, people think they are secure because it was signed.

bugtodiffer an hour ago

Couldn't I just publish a package? Then there's malware on the package manager wohooo

Reply View 0 replies