Questions tagged [install]
35 questions
133
votes
14 answers
Is a Windows installer that doesn't require admin rights dangerous?
I use Atlassian SourceTree on Windows, and one thing I like about it is that it doesn't require admin privileges to install or update. I happened to mention this to our ISSO (Information System Security Officer), and he was not a fan. He said that…
David K
- 1,317
- 2
- 7
- 9
51
votes
6 answers
Is `curl {something} | sudo bash -` a reasonably safe installation method?
The most straightforward way to install NodeJS on Ubuntu or Debian seems to be Nodesource, whose installation instructions say to run:
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
This clashes with some basic security rules I…
Krubo
- 789
- 5
- 9
12
votes
1 answer
Is it safe to use Python package managers like pip, easy_install or conda?
I know it is unsafe to install software (including Python packages) from not trusted or compromised sources.
However I wonder how safe I am when I am installing a trusted package from Python Package Index or from Anaconda repository (which I also…
abukaj
- 273
- 2
- 7
11
votes
3 answers
How to determine if it is safe to install apk files from alternative android app stores?
Several sites offer APK downloads (1, 2, 3). Is there a way to determine if a given website/apk is safe to install?
Sparkler
- 795
- 4
- 7
- 19
7
votes
1 answer
Is installing Debian package safe?
If I understand correctly, the maintainer scripts in Debian packages are executed with root privileges. I assume that this means that, contrary to my expectation, installing a malicious package can not only lead to compromising the user that runs…
Boris Bukh
- 181
- 5
7
votes
4 answers
Does the new Fedora package manager allow unauthorized installations?
I just upgraded to Fedora 22. The biggest change from the previous version is that the yum package manager is now replaced with dnf. One change I've noticed is that if you try to execute a command that comes from a common package which is not yet…
Woodrow Barlow
- 143
- 11
5
votes
1 answer
Are Ubuntu Snaps more secure than the classic installation method from the official repos?
Today Ubuntu (and some other distros) offer a new way to install software, which is snaps. It's software packaged with all its dependencies, run with some kind of containerization, and auto-updated. This might make it sound like it's definitely a…
reed
- 15,398
- 6
- 43
- 64
4
votes
2 answers
Can I rely on anti-virus scanning "data" objects in installer?
When I run an anti-virus scan (Kaspersky in this case) on an (InnoSetup) installer, it scans multiple "data" objects which seem to be the files within the installer:
This gives the impression that it would detect a malicious program even before…
Ignitor
- 141
- 4
3
votes
1 answer
MacBookPro's OSX install.log has entries that predate the initial unboxing
Basically what the title says. I recently had a look at my /var/log/install.log and the earliest entries are from about 2 full months prior to me unboxing the computer.
The packaging had cellophane, no indication it was secondhand, and nothing…
Adelmar
- 151
- 5
2
votes
1 answer
Is it safe to ask users to curl a raw file from GitHub?
I have a command line tool (ngi) I made, and currently the process of installation requires 2 steps.
First step is to clone the repo into usr/local/ngi.
Second step is to manually set the $PATH in ~/.bash_profile (or wherever they set their…
Josh Beam
- 135
- 9
1
vote
1 answer
Should I verify installer file PGP hash?
Let's say that I'll download an installer for a program on Windows and the publisher has released PGP Signature for the file.
The installer file does not have any code signing certificates.
If I connect to the publisher's website with https and…
Emre Kenci
- 163
- 1
- 1
- 5
1
vote
1 answer
Add Cipher Suite support to Chrome/ Chromoium?
I would like to know how to add Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA support to the new versions of Chrome?
Since Chrome v25/26 Google stopped the support of Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA. Unfortunately, I am…
Xtreme
- 11
- 1
- 2
1
vote
1 answer
macapps.link - possible attack vector - could you pipe through some security script
I asked this at https://apple.stackexchange.com/questions/445343/macapps-link-possible-attack-vector-could-you-pipe-through-some-security-scr but I think this would be more appropriate place.
A work colleague said she is using…
HankCa
- 113
- 4
1
vote
3 answers
How can I have my process detect if antivirus injected a module or DLL to it?
I am writing an installer process (.exe). My installer deploys different components. It will add registry entries, copy files, copy files over the network, remote execute, remote PowerShell, local Powershell, etc.
Sometimes, antivirus DLLs are…
ilansch
- 113
- 5
1
vote
0 answers
When file hash not available, how to best check authenticity of a file?
Normally, The Document Foundation (TDF) publishes the SHA-256 and SHA-1 hashes, along with the MD5 checksum, for all LibreOffice releases. For example, see this.
However, for their current release (v7.1.4), TDF did not publish any hashes or even a…
RockPaperLz- Mask it or Casket
- 3,114
- 21
- 50