undefined | Better HN

0 pointsjnbiche11y ago0 comments

Yes, but how to you know it's actually the software author and that the software has not been modified?

If you're not manually checking the PGP-signed SHASUMs of the software you're downloading for slackware, you're not getting any more security the defective apt software we've been running on debian.

Edit: As pointed out by elosius, verifying SSL certs when you download packages would give you some degree of security (and that's what I often end up having to do on Windows), but unless you have access to signed digests from the package author, you won't get any better security than the broken debian apt system.

0 comments

morganvachon11y ago

So then what's the difference between a broken apt not properly validating the source, and the user getting the source from the author, validating it by hand, and then compiling and installing? At least in the latter scenario, the user can be sure it's properly validated.

Personally, I'll choose the latter. Not only is apt a middleman, now it's a compromised middleman. Throw out the middleman and you have only yourself and the author.

JacobEdelman11y ago

You are willing to go through that much effort to download a single package? Sure I love my privacy and security but I have never had a problem on Ubuntu with that. If I ever have to do something particularly sensitive setting up a virtual machine or booting a different OS temporarily would be less effort.

morganvachon11y ago

Do I verify signatures when downloading and building from source on Slackware? Yes, I do. Slackware itself comes with nearly all the software I need already. The few programs I need to get beyond that, I always verify hashes. I do this using a script I wrote myself (I'm not a programmer by trade but I can bash out a script, no pun intended). I really don't understand why that's surprising; slackbuilds.org encourages its users to verify source tarballs before compiling, and it's a few seconds of extra work.

1 more reply

j / k navigate · click thread line to collapse

0 comments

morganvachon11y ago

Personally, I'll choose the latter. Not only is apt a middleman, now it's a compromised middleman. Throw out the middleman and you have only yourself and the author.

JacobEdelman11y ago

morganvachon11y ago

1 more reply

j / k navigate · click thread line to collapse