• erwan@lemmy.ml
    link
    fedilink
    arrow-up
    3
    ·
    6 months ago

    No matter how they package it, running a binary downloaded from Internet has the same attack surface

    • 4dpuzzle@beehaw.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      6 months ago

      You are right, except for one detail. Package managers almost always validate the packages using digital signatures, to avoid man-in-the-middle attacks. You don’t need to trust the network anymore. Shell scripts piped to a shell don’t have that protection. You still have to trust the developers and maintainers, though.