In addition, pure numbers as library name makes trouble in almost every programming language, because you can't use that directly as an identifier and have to find a workaround.
It seems that at least in Python the library is hence named "two1", not "21".
I guess they did it because the short domain (21.co) was available for their installation command:
curl https://21.co | sh
Not sure why the authors think anybody would type that in by hand, rather than just copy & paste it, though. So the short name doesn't help here, either.
In addition, the "curl | sh" type of installation has a bad reputation among developers, for security reasons. Which is especially critical when payment is involved. And which is even more critical when it is about automatic payment.
At least they prove a docker image in addition to that. But even here, no separate checksum is provided. Also, I can't see any digital signature. Or anything else to ensure integrity through a separate channel.
> In addition, the "curl | sh" type of installation has a bad reputation among developers, for security reasons. Which is especially critical when payment is involved. And which is even more critical when it is about automatic payment.
That only secures the transport, not necessarily the source. Especially without a checksum or digital sig to verify the source, it's a little weird of an oversight for a company like 21.
How would that checksum or digital signature be distributed?
HTTPS checks for authenticity of source (it uses digital signatures). Now, I guess there could be a rogue CA which creates another certificate for 21.co, but excluding that it's fine.
It seems that at least in Python the library is hence named "two1", not "21".
I guess they did it because the short domain (21.co) was available for their installation command:
Not sure why the authors think anybody would type that in by hand, rather than just copy & paste it, though. So the short name doesn't help here, either.In addition, the "curl | sh" type of installation has a bad reputation among developers, for security reasons. Which is especially critical when payment is involved. And which is even more critical when it is about automatic payment.
At least they prove a docker image in addition to that. But even here, no separate checksum is provided. Also, I can't see any digital signature. Or anything else to ensure integrity through a separate channel.