undefined | Better HN

0 pointsjacquesm8y ago0 comments

Even with tarballs all it takes is one fuck-up in a script and your homedirectory is gone. In that sense nothing is safe. You could of course audit all the code that the makefile or build script executes but I really don't know anybody that would do that for anything beyond the trivial.

We've been totally conditioned to just wget some archive, unpack it and build it, and even if git clone takes it one step further in day-to-day practice there is no difference between the two.

0 comments

3 comments · 1 top-level

shawnz8y ago· 2 in thread

I think the parent's concern is that there should at least be SOME way to audit everything. That doesn't necessarily mean that everyone ought to be doing it every time they clone a repo.

jacquesmOP8y ago

Most web interfaces to git will allow you to review the repo, if you blindly clone some repo that someone asks you to clone recursively I would see that mostly as a social engineering hack with the technical hook than a purely technical hack.

And depending on the sophistication you might want to do that in a chrooted environment or a VM.

tedunangst8y ago

There's no way to know if what you see on the web will be what you clone. The inspection must occur locally.

j / k navigate · click thread line to collapse