←back to thread

Show HN: Vet – A tool for safely running remote shell scripts

(getvet.sh)

89 points a10r | 1 comments | 28 Jun 25 19:56 UTC | HN request time: 0.211s | source

Show context

kevincox ◴[28 Jun 25 20:43 UTC] No.44408014[source]▶

>>44407661 (OP) #

My main question is in 90% of cases these are installers. How are you actually verifying the software that you install? In some cases it is signed and verified but in many cases it is just coming down from the same HTTPS server with no additional verification. So are you then diffing the code (which may be compiled) as well?

I'm not saying that random running random installers from the internet is a great pattern. Something like installing from your distribution can have better verification mechanisms. But this seems to add very little confidence.

replies(3): >>44408170 #>>44409862 #>>44410375 #

a10r ◴[28 Jun 25 21:00 UTC] No.44408170[source]▶

You're absolutely right—vet's scope is focused on securing the installer script itself, not the binary it downloads.

The goal is to prevent the installer from being maliciously modified to, for example, skip its own checksum verification or download a binary from a different, malicious URL.

It's one strong link in the chain, but you're right that it's not the whole chain.

replies(1): >>44408205 #

1. ◴[28 Jun 25 21:05 UTC] No.44408205[source]▶