[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#34125: Installation script needs to be secured with a gpg signature
From: |
Björn Höfling |
Subject: |
bug#34125: Installation script needs to be secured with a gpg signature |
Date: |
Fri, 18 Jan 2019 16:23:01 +0100 |
I was looking at the installation video from Laura (not yet public) and
wondered about that:
We just download the installation script:
$ wget https://.../guix-install.sh
Then we go on directly executing that script.
Shouldn't that be save-garded by a PGP-signature too?
Because if it is not, the user could be tricked into a script that
downloads a "bad" Guix installation tarball. That's what we are always
criticising about others wget-scripts that install whatever to the user.
WDYT?
Björn
pgpyLq2oEH_Xw.pgp
Description: OpenPGP digital signature
- bug#34125: Installation script needs to be secured with a gpg signature,
Björn Höfling <=