Detecting the use of "curl | bash" server-side

>>rubyn0+(OP)
Neat! But it's not obviously a bad idea. You have a TLS connection with the site you're downloading from. `curl | bash` is no worse than downloading a .dmg or .deb from the same server would be.

>>cjbpri+e2
deb/rpm is better because it's usually signed by maintainer with GPG keys. I think that it's harder to steal keys from maintainer than to infiltrate web server.

>>vbezhe+p2
For the most part you receive the GPG keys over the same TLS connection, though.

>>cjbpri+r3
That's an antipattern, should use keyservers.

>>fulafe+K6
Still not safe.

Verify key signatures.

And I really wish GPG had a negative trust signature.

>>dredmo+pg
Verify it against what?

>>Dylan1+Hk
See what keys have signed a given key. See Debian maintainer keys as an example.

This is ... not everything that it could be, and is approaching 30 years old, technology built for a vastly different world.

But this is the basis of the GPG / PGP Web of Trust.

https://en.wikipedia.org/wiki/Web_of_trust

http://www.pgpi.org/doc/pgpintro/

http://www.rubin.ch/pgp/weboftrust.en.html

(I've addressed this point ... a distressing number of times on HN: https://hn.algolia.com/?query=dredmorbius%20web%20of%20trust... 0

>>dredmo+Bl
Have you contacted maintainers if they're willing to do this? Is there a way to configure apt to verify chain of trust?

zlacker