zlacker

[return to "Detecting the use of "curl | bash" server-side"]
1. cjbpri+e2[view] [source] 2018-07-29 02:26:42
>>rubyn0+(OP)
Neat! But it's not obviously a bad idea. You have a TLS connection with the site you're downloading from. `curl | bash` is no worse than downloading a .dmg or .deb from the same server would be.
◧◩
2. vbezhe+p2[view] [source] 2018-07-29 02:30:38
>>cjbpri+e2
deb/rpm is better because it's usually signed by maintainer with GPG keys. I think that it's harder to steal keys from maintainer than to infiltrate web server.
◧◩◪
3. cjbpri+r3[view] [source] 2018-07-29 02:52:00
>>vbezhe+p2
For the most part you receive the GPG keys over the same TLS connection, though.
◧◩◪◨
4. fulafe+K6[view] [source] 2018-07-29 04:01:12
>>cjbpri+r3
That's an antipattern, should use keyservers.
◧◩◪◨⬒
5. dredmo+pg[view] [source] 2018-07-29 08:01:55
>>fulafe+K6
Still not safe.

Verify key signatures.

And I really wish GPG had a negative trust signature.

◧◩◪◨⬒⬓
6. fulafe+dl[view] [source] 2018-07-29 10:16:51
>>dredmo+pg
Yeah, if there are signatures then it doesn't matter. But often both are a miss.

Eg the key from https://docs.docker.com/install/linux/docker-ce/ubuntu/#set-... doesn't have signatures, and isn't on the keyservers.

Of course an unsigned key missing from the keyservers still has the advantage that on subsequent installs/updates, the previously downloaded key persists. And you can keep the initially downloaded key in your CI configs.

[go to top]