dullcrisp 7 hours ago

If there were a legitimate looking GitHub how-to page that asked me to do that, I can see myself doing it. Fortunately, I ignore all security issues on my repositories.

Reply View 1 reply
umanwizard 6 hours ago

No they haven’t, they’ve been trained to do

    curl https://url-of-well-known-project | sh
I may not trust the owners of a random domain, but I certainly trust the owners of rustup.rs not to do anything intentionally malicious.
Reply View 0 replies
kurisufag 7 hours ago

people make a lot of noise about piping into shell, but even if the instructions were

wget random.club/rc-12-release.sh

chmod +x ./rc-12-release.sh

./rc-12-release.sh

almost nobody would actually read the script before running it

Reply View 3 replies
  • dullcrisp 6 hours ago

    Well yeah, if your intention is to install software from random.club on your system, what would be the point of checking the installer script? The worst thing it can do is the same thing you want it to do.

    Reply View 2 replies
micw 2 hours ago

Another red flag. I cannot take any project serious that has this on its documentation.

Reply View 3 replies
  • umanwizard an hour ago

    I guess you don’t think the Rust programming language is a serious project, then?

    Reply View 0 replies
  • kadoban an hour ago

    You prefer that they wrap it in an .msi file and put it on that same website? What do you think the advantages of that are?

    Reply View 0 replies
  • d0mine an hour ago

    what is the more secure way in you opinion? What is the weak link here? TLS transport? possibly compromised hosting/codebase? trust in app authors? not reading the shell script? checking a signature of some file?

    Reply View 0 replies