bug#34125: Installation script needs to be secured with a gpg signature

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#34125: Installation script needs to be secured with a gpg signature

From:	Björn Höfling
Subject:	bug#34125: Installation script needs to be secured with a gpg signature
Date:	Fri, 18 Jan 2019 16:23:01 +0100

I was looking at the installation video from Laura (not yet public) and
wondered about that:

We just download the installation script:

$ wget https://.../guix-install.sh

Then we go on directly executing that script.

Shouldn't that be save-garded by a PGP-signature too?

Because if it is not, the user could be tricked into a script that
downloads a "bad" Guix installation tarball. That's what we are always
criticising about others wget-scripts that install whatever to the user.

WDYT?

Björn

pgpyLq2oEH_Xw.pgp
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#34125: Installation script needs to be secured with a gpg signature, Björn Höfling <=
- bug#34125: Installation script needs to be secured with a gpg signature, Ricardo Wurmus, 2019/01/22
  - bug#34125: Installation script needs to be secured with a gpg signature, Björn Höfling, 2019/01/25

Prev by Date: bug#34124: gnome-shell crash when opening the activities overview
Next by Date: bug#33603: Invalid hash for NSS-Certs
Previous by thread: bug#34124: gnome-shell crash when opening the activities overview
Next by thread: bug#34125: Installation script needs to be secured with a gpg signature
Index(es):
- Date
- Thread