**Nate Cull** @natecull · Apr 09, 2018, 21:39

**Nate Cull** @natecull · Apr 09, 2018, 21:39

Nate Cull @natecull

The Internet Gods, 2018:

Security! Security! SSL everywhere! Mandatory two-factor authentication! Full-device encryption! Hardware on-chip secure enclaves!

The Internet Gods, also 2018:

let's just give Jeff Bezos all our private RAM, and the official Node.js installer is literally curl | sudo bash

**Commander Pinkpony** @pony@blovice.bahnhof.cz · Apr 09, 2018, 23:58

**Commander Pinkpony** @pony@blovice.bahnhof.cz · Apr 09, 2018, 23:58

@natecull It's been more or less "just download this crap from the internet and run whatever code it has" since the beginning of the times, so node.js just made it obvious. (Weren't RPM or deb packages signed? Well, yes, but... you know the story.)

**⚗️⚗️⚗️ pnathan ⚗️⚗️⚗️** @pnathan · 2018-04-10T00:03:09Z

⚗️⚗️⚗️ pnathan ⚗️⚗️⚗️ @pnathan

@pony @natecull debs are gpg signed

Apr 10, 2018, 00:03 · Web · 0 · 1

**Commander Pinkpony** @pony@blovice.bahnhof.cz · Apr 10, 2018, 00:07

**Commander Pinkpony** @pony@blovice.bahnhof.cz · Apr 10, 2018, 00:07

@pnathan @natecull Yes. It doesn't make much difference.

**⚗️⚗️⚗️ pnathan ⚗️⚗️⚗️** @pnathan · Apr 10, 2018, 00:10

**⚗️⚗️⚗️ pnathan ⚗️⚗️⚗️** @pnathan · Apr 10, 2018, 00:10

@pony @natecull ::stares in nerd::

It makes a distinct difference. the ability for your computer to automatically verify the source computer of a package is non-trivial compared to curlbash. SSL doesn't cut it.

**Commander Pinkpony** @pony@blovice.bahnhof.cz · Apr 10, 2018, 00:11

**Commander Pinkpony** @pony@blovice.bahnhof.cz · Apr 10, 2018, 00:11

@pnathan @natecull just how.

curl-bash: I'm getting a script that modifies my system running as root from internet, verified and signed by a certificate stored somewhere on my system.

deb: the same.

**Nate Cull** @natecull · Apr 10, 2018, 00:13

**Nate Cull** @natecull · Apr 10, 2018, 00:13

@pony @pnathan well, with deb you know you're getting it at least signed by *the actual Debian maintainers*.

With curl | bash you... know it came from one specific server that anyone could've put anything on.

**Commander Pinkpony** @pony@blovice.bahnhof.cz · Apr 10, 2018, 00:15

**Commander Pinkpony** @pony@blovice.bahnhof.cz · Apr 10, 2018, 00:15

@natecull @pnathan you could argue that, I guess. On the other hand, I suspect the ability of node.js to hold their tls certificate and possibly revoke when compromised it is maybe better than what gpg can do. If a gpg key of a debian developer is compromised, I can't really see a way how to handle it securely without manual intervention in the system. And HTTPS will probably be how you learn to do it :)

**Diane** @alienghic@octodon.social · Apr 15, 2018, 19:47

**Diane** @alienghic@octodon.social · Apr 15, 2018, 19:47

@pony apt secure makes sure the file hasn't been modified since it was uploaded. Https just secures bytes in transit. Also there's only one organization to trust unlike the hundreds of certificate authorities