undefined | Better HN

0 pointsformerly_proven5y ago0 comments

Why would a different CLI (presumably still using libgit2) improve security? Especially if it's installed like this: curl -sf https://gobinaries.com/chriswalz/bit | sh;

0 comments

8 comments · 3 top-level

justincormack5y ago· 3 in thread

It doesn’t use libgit2 it shells out to git. So it doesn’t improve security.

pjmlp5y ago

It still does, by adding yet another layer, written in a memory safe language.

Just like a castle with a water pit can still be conquered, but it takes a bit more effort for achieving it.

johnisgood5y ago

I do not care about memory safety only, I would be pissed if it removed my files, for example. :D Security is too broad a term anyways, hence this thread.

monadic25y ago

Depends entirely on threat model. More code is more surface area for vulnerabilities to be found.

maccard5y ago· 2 in thread

> Especially if it's installed like this: curl -sf https://gobinaries.com/chriswalz/bit | sh

What's wrong with this? It's no worse than git clone && make

or any of the other hundred incantations of executing code from the web.

saxonww5y ago

It's much worse. At least with `git clone` you can verify that the code you're building matches something you trust. You have to trust the code and your make tool. You can inspect the code if you're concerned and validate that it's going to do what it says.

It's true that the vast majority of the time a "curl | sh" works fine and does just what you expect it to do, but that's not really the point. The point is that you have no idea what that script your piping will do. You also have no idea whether in this case the binary it fetches is actually built from the code the service says it is; downloading the script first and inspecting it is a good idea, but still not as good as building directly from the code.

This is why we see people do things like publish a hash sum alongside binaries they offer, or use a digital signature. Then we can at least verify that a binary matches what the author says they released, or better yet ensure that the binary was produced by a trusted source.

maccard5y ago

> You can inspect the code if you're concerned and validate that it's going to do what it says.

You can just not pipe the curl script to shell and inspect it [0]. Executing that is no worse than executing a random make command or `brew install`

> downloading the script first and inspecting it is a good idea, but still not as good as building directly from the code

No, you need to inspect the code too if you're that worried. I can write a makefile that just does this: build: curl http://example.com -o bad.txt && cat bad.txt

Either you're actually vetting what you run on your machine, or you're not. curl | sh isn't any worse than git clone && make.

> This is why we see people do things like publish a hash sum alongside binaries they offer, or use a digital signature. Then we can at least verify that a binary matches what the author says they released, or better yet ensure that the binary was produced by a trusted source.

So just publish the hash/signature next to "install instructions" that contains the curl command, and let the user verify the hash themselves. Again, that has nothing to do with the install method.

[0] https://pastebin.com/atHcYR8x

1 more reply

bamboozled5y ago

Memory safety?

j / k navigate · click thread line to collapse