Wallace_n_Gromit
Senior Member
Is it safe/secure to install a executable from a source that may not be "thoroughly" vetted?
I have heard from a reputable security source in the past, that using "curl" to install software is a iffy security issue. Have to implicitly trust the source.
I have little concern to "curl" from repos from developers here because of the community-based trust.
ADD: ...and whoever started strobing my smart lights. stop it!
ADDITION: This tread was moved from another thread. I did not realize that I would be stepping on a few toes here, especially from some of the top developers/sysops. This was mainly posed as a question about using and installing new programs to run on your systems from NEW sources (and come to find out from old sources--i.e. supply chain attack, and very old linux component vulnerabilities like the sudo hack ).
It was an idea expressed in the light of much recent news over the last year of the "weaponization" of many methods we take for granted to install, use, update, etc. the software we all are dependant upon.
The greatest thing about this specific grouping of threads, Merlin-AsusWRT, is the very proactive nature of the development and updating of features and mitigation of vulnerabilities as they arise. There is an strong, implicit trust that the developers know what they are doing and are doing it in the right way (i.e. the routers to function correctly with their networking and sound/timely/updated security features.)
I do understand that my question posed was not from an informed personal experience but the repeated (and I think badly at that) from a outside source I personally trusted. Once some disagreement about this subject arose, I wasn't even well-informed enough about "curl/bash" to offer some counterpoint.
Since there are so many who read these threads and are at various levels of computer subject matter experience, any claim that is potentially "outlandish" or "sensational" needs to be met head-on and challenged. So I definately don't take any of this personally.
Lesson: If you bring something up, be clear what the issue is and be able to back it up. That way it will inform and not needlessly alarm.
I have heard from a reputable security source in the past, that using "curl" to install software is a iffy security issue. Have to implicitly trust the source.
I have little concern to "curl" from repos from developers here because of the community-based trust.
ADD: ...and whoever started strobing my smart lights. stop it!
ADDITION: This tread was moved from another thread. I did not realize that I would be stepping on a few toes here, especially from some of the top developers/sysops. This was mainly posed as a question about using and installing new programs to run on your systems from NEW sources (and come to find out from old sources--i.e. supply chain attack, and very old linux component vulnerabilities like the sudo hack ).
It was an idea expressed in the light of much recent news over the last year of the "weaponization" of many methods we take for granted to install, use, update, etc. the software we all are dependant upon.
The greatest thing about this specific grouping of threads, Merlin-AsusWRT, is the very proactive nature of the development and updating of features and mitigation of vulnerabilities as they arise. There is an strong, implicit trust that the developers know what they are doing and are doing it in the right way (i.e. the routers to function correctly with their networking and sound/timely/updated security features.)
I do understand that my question posed was not from an informed personal experience but the repeated (and I think badly at that) from a outside source I personally trusted. Once some disagreement about this subject arose, I wasn't even well-informed enough about "curl/bash" to offer some counterpoint.
Since there are so many who read these threads and are at various levels of computer subject matter experience, any claim that is potentially "outlandish" or "sensational" needs to be met head-on and challenged. So I definately don't take any of this personally.
Lesson: If you bring something up, be clear what the issue is and be able to back it up. That way it will inform and not needlessly alarm.
Last edited:
