Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

See, I wouldn't. I would go for the script to either inject the payload to the package or inject to the host.

Even if it's auditable, how many people are actually verifying the shell script before hand?

You've just been given a command to download and execute.

And the potential of having lots of users downloading a shell script has a quicker attack path than users downloading the package. You have custom repos, holding their own distro packages for the software.



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: