Hacker News new | past | comments | ask | show | jobs | submit login

> i doubt using an other method would minimize a risk when the meteor.com would actually get owned.

GPG signing, keep the private key offline, publish the public key in the blockchain and have a lot of high profile technologists sign it so it can be independently verified.

See also: PHPUnit. https://phpunit.de/manual/current/en/installation.html#insta...

(They provide an example shell script for quickly downloading and verifying the latest versions of their install)




I completely understand your point.

But at the end it's about people ...your example with PHPUnit can be abused like this https://thejh.net/misc/website-terminal-copy-paste How many people do you think will bother to paste the script to a text editor and check for evil parts ?


Anybody who runs unverified code, through any medium, when the option to run trusted code is available, deserves to get pwned.

https://github.com/paragonie/password_lock/blob/master/run-t...

^- For the record, I keep scripts like this in my Git repositories.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: