Posted Feb 1, 2006 23:41 UTC (Wed) by Ross
In reply to: klik://kspread-1.5-beta is cool (as is the kword one)
Parent article: KOffice 1.5 beta 1 Released (KDE.News)
It is less secure in a number of ways.
First, the actual download isn't being performed separately. Second, some installers do not allow the package they are installing to take arbitrary actions (unfortunately both RPM and Debian packages run scripts which can basically do what they want as the installing user). Third, there is no sanity checking, checksum verification, or signature checking. How do you even know what you are installing is the same as what was on the Web page two seconds ago?
What is the best way to install software? Well, for one thing it should be downloaded by a non-priviledged user, then verified correct against a trusted source through at least a checksum, but optimally through verification of a cryptographic signature. Then, the install tool should finally compile (if needed) and install the software. Any compilation and installation should not be performed with the root uid (even if started by root). This is possible through many mechanisms, but the most obvious one is setting group writability on the destination directories and making the install process run with membership in that group. Does anything work that way out of the box? Not to my knowledge.
But klick is basically the least secure method, similar to the old Nessus installation instructions.
to post comments)