Hacker News new | past | comments | ask | show | jobs | submit login

>Out of band verification. When you're doing curl pipe sh, you're trusting the host and that's it. With packages, you can verify the trust against external services like keybase, check website archive for changed key ids, check signatures on the public key if the author is into things like web of trust.

Your grandma is pretty advanced.




> Your grandma is pretty advanced.

Grandma level: Grace Hopper.


Who said anything about grandmas. The topic was "what's better than curl pipe sh". The target crowd knows how to use the terminal.

But if the software is already installed, trusted package author also allows secure updates.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: