Oh. And before any of you lay any blame on the maintainers of these open source project.
How many of you have blindly installed stuff by running curl | sudo bash ?
Did you verify the binaries and the code the bash script ran/installed? How did you confirm trust on those binaries?
Xz is the oss supply chain attack we know about. You can guarantee there are many many more. How we manage installation, and dependency's should perhaps have a little more thought...
@quixoticgeek `curl | sudo bash` is horrifying on so many levels. Projects that suggest this as an install method are immediately suspect to me.
While I'm on a rant, the Ubuntu style "sudo for everything from the default user account" is disturbing as well. Day-to-day user accounts should NOT have root access, full stop.
⚛️
@allpoints @quixoticgeek I don't want to manage multiple accounts on a computer only I use.
The default configuration is good enough. Nobody is able to do anything without knowing my password.
@dusnm @quixoticgeek The smart approach to security is layers. It's much easier to compromise an everyday account. Giving that account and its password root access is a bad idea.
But it's your machine and you get to choose where the line is between ease of use and security.
IMO a major problem with the Ubuntu approach is they've trained new users to type `sudo` in front of every command without thinking about it. These are the same folks who don't understand why `curl | sudo bash` is bad.
