Between you and me, are a bunch of other hops. Blindly trusting dependencies is one part of why npm ...

shakna • last Monday at 12:01 AM • 2 replies • view on HN

Between you and me, are a bunch of other hops. Blindly trusting dependencies is one part of why npm is burning down at the moment.

Why trust un-signatured files hosted on a single source of truth? It isn't the 90s anymore.

Replies

stouset • last Tuesday at 6:16 PM

    $ curl ${flags} https://site.io/install.sh | sh

    $ curl ${flags} https://site.io/tool > ./tool
    $ chmod u+x ./tool
    $ ./tool

Both of these are effectively the same damn thing but everyone loses their minds over the first one.

Also, a lot of those install scripts do check signatures of the binaries they host. And if you’re concerned that someone could have owned the webserver it’s hosted on, then they can just as easily replace the public key used for verification in the written instructions on the website.

➕ show 1 reply

saagarjha • last Monday at 4:40 AM

What’s your alternative?

➕ show 1 reply

alt Hacker News

Replies