Comment by fijiaarone

Comment by fijiaarone 10 months ago

Everyone has been trained for years to do this:

curl http://obscure.url?random-string | sh

dullcrisp 10 months ago

If there were a legitimate looking GitHub how-to page that asked me to do that, I can see myself doing it. Fortunately, I ignore all security issues on my repositories.

Reply View 1 reply

ToValueFunfetti 10 months ago

Security by lack thereof

Reply View | 0 replies

umanwizard 10 months ago

No they haven’t, they’ve been trained to do

    curl https://url-of-well-known-project | sh

I may not trust the owners of a random domain, but I certainly trust the owners of rustup.rs not to do anything intentionally malicious.

Reply View 2 replies

account42 10 months ago

Then you are more trusting of the Serbian National Internet Domain Registry than you should be.

Reply View | 0 replies
guappa 10 months ago

Microsoft owns more domain names than the amount of neurons in the brain.

Reply View | 0 replies

kurisufag 10 months ago

people make a lot of noise about piping into shell, but even if the instructions were

wget random.club/rc-12-release.sh

chmod +x ./rc-12-release.sh

./rc-12-release.sh

almost nobody would actually read the script before running it

Reply View 3 replies

dullcrisp 10 months ago

Well yeah, if your intention is to install software from random.club on your system, what would be the point of checking the installer script? The worst thing it can do is the same thing you want it to do.

Reply View | 2 replies
- umanwizard 10 months ago
  
  Yes, which is why complaining about curl | sh is silly.
  
  Reply View | 1 reply
  
  dullcrisp 10 months ago
  
  I’m not disagreeing.
  
  Reply View | 0 replies

fijiaarone 10 months ago

or even this:

git clone http://github.com/unknown/repo.git && cd repo && npm install

Reply View 1 reply

darkwater 10 months ago

Even worse:
$ svn checkout
$ ./configure
$ make
# make install

Reply View | 0 replies

micw 10 months ago

Another red flag. I cannot take any project serious that has this on its documentation.

Reply View 5 replies

kadoban 10 months ago

You prefer that they wrap it in an .msi file and put it on that same website? What do you think the advantages of that are?

Reply View | 0 replies
umanwizard 10 months ago

I guess you don’t think the Rust programming language is a serious project, then?

Reply View | 1 reply
- guappa 10 months ago
  
  I mean they even named the website cargo, after cargo culting! (jk)
  
  Reply View | 0 replies
d0mine 10 months ago

what is the more secure way in you opinion? What is the weak link here? TLS transport? possibly compromised hosting/codebase? trust in app authors? not reading the shell script? checking a signature of some file?

Reply View | 1 reply
- micw 10 months ago
  
  My issue is the bypassing of the systems package manager. Doing so will result on files spread somewhere over the system. How do you uninstall such thing properly? How do you update (or even know) it's dependencies? Will it break because I uninstall or update one of it's dependencies?
  Linux has a very good package management for many years. I see absolute no reason to break this by creating shell installers.
  
  Reply View | 0 replies