• @erwan@lemmy.ml
    link
    fedilink
    45 months ago

    No matter how they package it, running a binary downloaded from Internet has the same attack surface

    • 4dpuzzle
      link
      fedilink
      English
      55 months ago

      You are right, except for one detail. Package managers almost always validate the packages using digital signatures, to avoid man-in-the-middle attacks. You don’t need to trust the network anymore. Shell scripts piped to a shell don’t have that protection. You still have to trust the developers and maintainers, though.