Re: Phix Linux 64 downloads
- Posted by jimcbrown (admin) Oct 08, 2018
- 1646 views
Please do not ever do this.
OK, but why not? We're missing a few things in any case (checksums, a secure connection).
Good points.
Also, when I see a tool that recommends installing the latest and greatest via a curl -sSL http://some.resource | bash type of approach, I remain fully at liberty to inspect that script first of all.
If you wget the script and then inspect it, and then (after verifying that it is okay) run the saved contents, that is probably safer.
It is known how to alter the contents of the script depending on if it is being viewed in a browser on a webpage vs being executed on a command line. (IIRC this involved injecting a sleep command followed by an HTTP GET request and then checking the timing of the GET request to see how long the delay was.)
Having used Phix a few times, I now trust it and its author. If through no fault of Pete his site is compromised, well, the weak point in the chain is not necessarily the bash script itself.
Perhaps, but why not add that extra layer of security if you can? Just because Pete's site got compromised (or maybe he was hit by a truck right before his domain name expired and the site now legitimately belongs to another person), that should not translate to YOUR systems being compromised too.
In a word, convenience.
Yes, those two have always been at odds with one another. )-:
