You can verify the integrity of the ISO with a SHA and/or verifying signatures with the vendor’s public key. You could do this with the shell script by downloading it, verifying it, checking to ensure that it verifies the ISO it downloads, and then running it.
It also skips any passive vulnerability scans such as the known-exploit signature checks and virus scans that are common in browsers now. So if the site is compromised and they are providing file hashes that will validate their exploit script then a browser downloading the same script and/or ISO would have a chance of catching it.
Yeah, that’s why I’m always surprised to see websites instruct users to curl | sh when they could tell users to curl > file && sha256sum file cross-check the sum, and then sh file at least.
I mean, if the script, the checksum, and the instructions to check the checksum are all served from the same https server, you don’t actually gain anything by checking the checksum.
As the downloader you don’t gain anything directly but as the publisher it would require an attacker to change the content of the site, which is another opportunity for detection. Not anywhere near complete protection but an additional low cost security later.
I tried it on an M1 Air for 20 minutes and it was very smooth. Linux itself seems pretty good, but it’s Arch and KDE which I’m not too familiar with, so I switched back pretty quickly to macOS to get some work done. I’ll have another bash soon with a bit more time and patience.
Installing an operating system with
curl | sh? Well, I’ve done riskier things to my machines before.at this point isn’t that essentially what home-brew is? :D
How’s that different security-wise from downloading an ISO and running it at boot time?
In general a shell script is easier to man in the middle.
In this specific case since it is https you are right there is not much difference.
Assuming most people will copy paste the command from a webbrowser into the terminal there is also the possibility of some css/unicode trickery
You can verify the integrity of the ISO with a SHA and/or verifying signatures with the vendor’s public key. You could do this with the shell script by downloading it, verifying it, checking to ensure that it verifies the ISO it downloads, and then running it.
Simply doing
curl | shskips all of this.curl verifies the script with the vendor’s public key too, that’s what https does.
As far as I can tell, the big difference is the sh step gets to live in your running OS with the disks mounted, but that’s it.
It also skips any passive vulnerability scans such as the known-exploit signature checks and virus scans that are common in browsers now. So if the site is compromised and they are providing file hashes that will validate their exploit script then a browser downloading the same script and/or ISO would have a chance of catching it.
You can do easily do
curl > fileand verify to your hearts content. :)Yeah, that’s why I’m always surprised to see websites instruct users to
curl | shwhen they could tell users tocurl > file && sha256sum filecross-check the sum, and thensh fileat least.I mean, if the script, the checksum, and the instructions to check the checksum are all served from the same https server, you don’t actually gain anything by checking the checksum.
As the downloader you don’t gain anything directly but as the publisher it would require an attacker to change the content of the site, which is another opportunity for detection. Not anywhere near complete protection but an additional low cost security later.
Maybe by the time I have both a studio and a display Alyssa will have got the GPUs to work (the amount she’s already got going is insane) :D
Has anyone tried this? I’m thinking of installing it on my M1 MacBook Pro.
I tried it on an M1 Air for 20 minutes and it was very smooth. Linux itself seems pretty good, but it’s Arch and KDE which I’m not too familiar with, so I switched back pretty quickly to macOS to get some work done. I’ll have another bash soon with a bit more time and patience.
yeah that killed my interest