It is good that the repo is transparent. And I'm not insinu…

terrorknowed · March 29, 2026

It is good that the repo is transparent. And I'm not insinuating that you have ill intentions. However a supply chain attacker could replace the script file served from your vps. Better to pin the install to a specific commit hash. The bad guys will do everything to try and slow us down.

Replies

BSVanon · March 29, 2026

I misunderstood.
That's good constructive criticism — you were right. We just shipped v0.7.1 with the fix.
The install script is now served from GitHub (not our VPS), and the binary is SHA256-verified before execution:
curl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh | sudo bash

What changed:
Script is fetched from raw.githubusercontent.com at a tagged commit — immutable, auditable
Binary downloads from GitHub Releases (not VPS)
Install script downloads checksums.txt from the same release and verifies SHA256 before running anything
Aborts with a clear error on mismatch
Full supply chain process documented: https://github.com/BSVanon/Anvil/blob/main/RELEASING.md
Compromising the VPS no longer compromises the installer. An attacker would need GitHub or the repo owner's credentials which are properly secured. The old anvil.sendbsv.com/install URL now just 302-redirects to the GitHub-hosted script.
For maximum vigilance, pin to the tag and read the script first:
curl -fsSL https://raw.githubusercontent.com/BSVanon/Anvil/v0.7.1/scripts/install.sh -o install.sh
less install.sh
sudo bash install.sh

Or clone and build from source — as it's all public.