coreutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] cksum: add --check-stream=CHECKSUM flag

From: Pádraig Brady
Subject: Re: [PATCH] cksum: add --check-stream=CHECKSUM flag
Date: Sun, 15 Dec 2024 00:50:53 +0000
User-agent: Mozilla Thunderbird Beta 
On 14/12/2024 23:20, Akihiro Suda wrote:

`-S, --check-stream=CHECKSUM` checks the FILE with CHECKSUM and pipes
the FILE to the stdout.

The motivation is to make `curl | sh` secure without breaking one-liner.
e.g., curl https://example.com/install.sh | sha256sum --check-stream
deadbeef | sh


Similar functionality was discussed a long time ago as listed at:
https://www.gnu.org/software/coreutils/rejected_requests.html#checksum
specifically https://bugs.gnu.org/13243

Now I do agree checking the stream is more concise with this option
than using existing tools, but I'm not sure it's warranted.
With existing tools you'd have:

  tmpf=$(mktemp) && curl -fs https://example.com/install.sh > "$tmpf" \
  && sha256sum --status --check <(echo deadbeef  -) < "$tmpf" && sh "$tmpf"; rm 
"$tmpf"

Certainly not as neat, but there is no extra functionality
provided with the more concise --check-stream

BTW I don't fully understand the use case. I presume it's not for security
as if one could compromise the install.sh, presumably one could
compromise the checksum in the instructions. So I'm presuming it's
for extra resiliency or something?

cheers,
Pádraig
reply via email to
[Prev in Thread] Current Thread [Next in Thread]