
Is curl|bash insecure? - philips
https://blog.sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install.html
======
philips
Bootstrapping trust off of the existing TLS infrastructure is really practical
and the articles point about browsers downloading ISOs for Linux distros
really drives that home. One of the things we do in `rkt` is let people
bootstrap the code-signing keys for container images off of keys that a TLS
secured HTML page presents in its metadata. This allows for easy bootstrapping
while enabling user control of sideloading if they prefer an out of band
pubkey distribution method.

------
dang
[https://news.ycombinator.com/item?id=10277470](https://news.ycombinator.com/item?id=10277470)

