Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> The Debian developers ... don't audit the source code of everything ...

Strawman. If an amount of critical code is audited (and it is) it's still much better than nothing.

> I want to know if the script is going to accidentally clobber any existing files

Packages are tested on various hosts and architectures. The packaging system check for files being overwritten and that the package can be removed cleanly Also suspicious things (e.g. unsecure file permissions) are checked. Sandboxing tools are often used to contain daemons.

Furthermore the package content is tracked, while "curl | sh" cannot guarantee that the same script will be received every time or by every user.



> Strawman. If an amount of critical code is audited (and it is) it's still much better than nothing.

Is it, though? I'm specifically thinking about the Debian fiasco a few years ago when a packager broke OpenSSL's key generation. Clearly less scrutiny is paid than one might think. I'm unable to find any evidence/documentation/anything that suggests that code audits by Debian packagers of critical packages are done regularly (or ever).

I did find a few links to some Debian-specific tools to aid code auditing, but nothing to suggest where they're used, how often, and on what packages. Regardless, they look more like linters and static analyzers -- nothing that would help you discover backdoors or just flat-out malicious behavior.

> The packaging system check for files being overwritten...

Yes, I'm well aware, not sure why you're bringing this up. I was merely pointing out (regardless of any other argument being made) that file-clobbering is a reason why "curl | sh"-style installation bothers me, personally, much more than possible security considerations, which I consider to be overblown.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: