Oh. And before any of you lay any blame on the maintainers of these open source project.
How many of you have blindly installed stuff by running curl | sudo bash ?
Did you verify the binaries and the code the bash script ran/installed? How did you confirm trust on those binaries?
Xz is the oss supply chain attack we know about. You can guarantee there are many many more. How we manage installation, and dependency's should perhaps have a little more thought...
@quixoticgeek `curl | sudo bash` is horrifying on so many levels. Projects that suggest this as an install method are immediately suspect to me.
While I'm on a rant, the Ubuntu style "sudo for everything from the default user account" is disturbing as well. Day-to-day user accounts should NOT have root access, full stop.
⚛️
@allpoints @quixoticgeek I don't want to manage multiple accounts on a computer only I use.
The default configuration is good enough. Nobody is able to do anything without knowing my password.
@dusnm @quixoticgeek The smart approach to security is layers. It's much easier to compromise an everyday account. Giving that account and its password root access is a bad idea.
But it's your machine and you get to choose where the line is between ease of use and security.
IMO a major problem with the Ubuntu approach is they've trained new users to type `sudo` in front of every command without thinking about it. These are the same folks who don't understand why `curl | sudo bash` is bad.
@allpoints @dusnm at one job, colleague complained that I didn't include sudo with commands in documentation, instead having a # or $ for the prompt to tell if iy needed sudo/root. That way people didn't just copy paste stuff without knowing what they were doing.
@quixoticgeek @dusnm
"That way people didn't just copy paste stuff without knowing what they were doing."
Personal systems are one thing but I would be concerned if I had colleagues with root access who cut/paste commands without understanding when/why root level access is required.