The problem is that curl|bash isn't authenticated, I don't really know whether t... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		andreareina on Aug 7, 2018 \| parent \| context \| favorite \| on: Pi-Hole: Why You Need a Network-Wide Ad-Blocker The problem is that curl\|bash isn't authenticated, I don't really know whether the executable I'm getting was really built by the maintainer or if a malicious attacker was able to sneak in and replace it (like what happened with eslint a few weeks ago[1]). Passing off a signed package (as .debs are) as genuine requires getting a hold of the signing key as well, which increases the difficulty of the compromise. [1]https://eslint.org/blog/2018/07/postmortem-for-malicious-pac...

Tomte on Aug 7, 2018 [–]

No, it doesn't. We're not talking about the Debian package archive.

We're realistically talking about the hypothetical where a .deb is sitting on pi-hole.net, with a GnuPG key right next to it and instructions to trust this key.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact