Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> We made sure that the toltec install process includes a hash of the install script to prove that it isn't modified by a man-in-the-middle.

A bit late for that, no?

Maybe I misunderstood but the modified version could do it's thing and then download the official script to fool that check.

Or pretty much anything else imaginable.



I guess you haven't looked at our install instructions[0]. The hash check is done before running the script. You can't run the script if it doesn't match unless you choose to just run it manually and ignore the check.

0. https://toltec-dev.org/


I have not. Just responding to the information that was available in this thread.

But that is better!


The bash script is fairly easy to download and verify before running it. It’s only 200 lines with a few functions and if statements.


Yes, but the whole antipattern of wget | bash is that you don't encourage that sort of scrutiny.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: