Oh. And before any of you lay any blame on the maintainers of these open source project.

How many of you have blindly installed stuff by running curl | sudo bash ?

Did you verify the binaries and the code the bash script ran/installed? How did you confirm trust on those binaries?

Xz is the oss supply chain attack we know about. You can guarantee there are many many more. How we manage installation, and dependency's should perhaps have a little more thought...

@quixoticgeek `curl | sudo bash` is horrifying on so many levels. Projects that suggest this as an install method are immediately suspect to me.

While I'm on a rant, the Ubuntu style "sudo for everything from the default user account" is disturbing as well. Day-to-day user accounts should NOT have root access, full stop.

@allpoints @quixoticgeek I don't want to manage multiple accounts on a computer only I use.

The default configuration is good enough. Nobody is able to do anything without knowing my password.

Follow

@dusnm @allpoints if you're just sticking sudo in front of the command and having no further authentication, what exactly is the purpose of sudo.

· · Web · 1 · 0 · 0

@quixoticgeek@social.v.st @dusnm@fosstodon.org @allpoints@mstdn.social Simon says. Which seems fine as a simple check that you really mean to make a system-level change, rather than a security measure.

Seems better than doing things that don't need to be root (eg. decompressing and compiling things) in a root shell, anyway.

@kim @allpoints @dusnm except you then find people just putting sudo in front of everything... At least the password adds an extra check. Type it on every command and you're not gonna use it when it's not needed

@quixoticgeek@social.v.st @allpoints@mstdn.social @dusnm@fosstodon.org repeatedly typing a password would appear to be equivalent to repeatedly just typing "sudo " for those purposes. Except with more risk that your password ends up in your .bash_history

(Though to be fair, I have usually have sudo configured to prompt me for a password.)

Sign in to participate in the conversation
(void *) social site

(void*)