Hacker News .hnnew | past | comments | ask | show | jobs | submitlogin

How is this any different from just downloading a binary from their website and running it? Which people have been doing for ages?


It's different because in a lot of cases there are more layers of security in place that haven't been discussed.

For instance it would be typical in the past to sign the packages/software and publish the public key either to the site or somewhere else. Private keys used to sign the software would never touch the website infrastructure and would live on, typically, much more secure build or sign-only infrastructure.

The public keys used to verify the software could also be delivered through a separate channel, signed by a trusted third party, and etc. With Trust on First Use(TOFU) you'd trust the key when you first obtain it and be notified if the key ever changed unexpectedly.

I agree with the general point of this article. This is the weakest part of the arguments IMHO.


Plenty of installation scripts ask for root.


... and this is a red flag which generally forces me to stop and check why

if I download latest music editor, and it wants root, I will be very suspicious.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: