Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I agree that it feels insecure, but is there really a difference between this and downloading and running files from a .tar.gz or installing a .deb for example?


Yes.

apt-get:

  $ ls -l /etc/apt/trusted.gpg.d/

Source Installation:

  $ wget http://nmap.org/dist/sigs/nmap-6.01.tgz.asc
  $ wget http://nmap.org/dist/nmap-6.01.tgz
  $ gpg nmap-6.01.tgz.asc


This is an important part of why Debian and its derivatives are superior to OS X for web development. If you like Mac hardware like I do, at least run a Linux distro as a virtual machine and save yourself the trouble of Homebrew or its contemporaries.


The point is that most people don't do this.


Its built into apt. Unless you are suggesting that most people do:

  # apt-get --allow-unauthenticated ...


debs are authenticated.


With a .tar.gz you can verify a checksum.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: