library_napper

library_napper, 1 year ago

Its more secure to go through a package manager. Checking signatures is important.

library_napper, 1 year ago

Yes, there is. You’re risking downloading malicious software.

library_napper, 1 year ago

They probably lowered it became mullvad is a security company and downlaoing .deb files from the Internet ia a vector for attack

library_napper, 1 year ago

More Performant, yes. More Secure? Not sure about that

library_napper, 1 year ago

ChatGPT is garbage in garbage out. It’ll probably tell you to curl a file off the internet and pipe it to bash as root.

library_napper, 1 year ago

You might want to say why or you’ll get downvoted. Spoiler: its not safe and this is how you get malicious software on your computer

library_napper, 1 year ago

Homebrew is extremely insecure. It doesn’t verify package signatures, so its just as bad as the “just donloaf some sketchy untrusted binary off a website” approach

library_napper, 1 year ago

Https is vulnerable to loads of attack. That’s why we sign packages.

library_napper, 1 year ago

No, you’re confusing two vectors of attack. I’m saying that if you fan trust the vendor, then you’re still at risk from downloading malicious software that was manipulated between the vendor and you (man in the middle attack), unless you verified a signature using a key stores offline (note https is still vulnerable because the keys are stored online)

library_napper, 1 year ago (edited 1 year ago)

That’s why you download the key from multiple distinct domains from multiple distinct locations using multiple distinct devices and veryify their fingerprints match. If the key/fingerprint is only available on one domain, open a bug report with the maintainer.

library_napper, 1 year ago (edited 1 year ago)

Of course it matters.We dont want to support or contribute content to a service that could go down one day and all the data is lost because we can’t fork it.