Oh. And before any of you lay any blame on the maintainers of these open source project.

How many of you have blindly installed stuff by running curl | sudo bash ?

Did you verify the binaries and the code the bash script ran/installed? How did you confirm trust on those binaries?

Xz is the oss supply chain attack we know about. You can guarantee there are many many more. How we manage installation, and dependency's should perhaps have a little more thought...

@quixoticgeek `curl | sudo bash` is horrifying on so many levels. Projects that suggest this as an install method are immediately suspect to me.

While I'm on a rant, the Ubuntu style "sudo for everything from the default user account" is disturbing as well. Day-to-day user accounts should NOT have root access, full stop.

@allpoints @quixoticgeek sudo/curl gets a lot of unjustified flak though.
You need root to install a deb or rpm or whatever package just as well. And the pre-/post install scripts in those are less visible if anything.

@felixf @quixoticgeek sorry, it deserves all the flack it gets. I don't have a problem at all with an install script. But the instructions aren't "download this, look it over and run it as root."

And yes, packages require root access and run scripts. However I have some trust/faith/hope the package maintainers have done their job well.

The fact is curl/sudo has a bad smell to it and makes me distrust the projects that suggest it.

@allpoints @quixoticgeek what inspires that trust/faith/hope?

Why don’t you expect instructions to first decompile the package and check its scripts?

@felixf @quixoticgeek to answer your 2nd question 1st, because I have a life and don't have the time/interest to do that.

If it's not apparent why I have more faith in a package from my chosen distro or from a project that understands and has taken the time to build one then I'm not sure we have a common enough framework to have a fruitful discussion

@allpoints @quixoticgeek fair enough, but curl/sudo installers don’t replace distribution packages. They replace upstream apt/yum repos. And I maintain that the surplus trust that people put in the latter is mostly undeserved.

Follow

@felixf @allpoints aside from all the other issues with curl|bash, they often don't come with an uninstall function.

· · Web · 0 · 0 · 2
Sign in to participate in the conversation
(void *) social site

(void*)