undefined | Better HN

0 points10000truths4y ago0 comments

No worse than downloading a pre-built binary off the internet and running it.

0 comments

4 comments · 2 top-level

chunk_waffle4y ago· 2 in thread

If you follow that to it's logical conclusion then "everything is terrible and nothing is secure" (which is probably the reality)

My personal gripe with piping curl output to sh is about expectations. If I have some binary I'm running, I have _some_ expectations about what it will do, same for a Makefile, and RPM, etc. None of those things are guaranteed to do what they're supposed to but I have some idea what _should_ happen.

Unless I read through the script, I have less expectations about what the script is going to do. It says it will install my program but is it going to pull in dependencies from my package manager? Download and compile something, shove binaries in my $PATH, edit dot files in $HOME?

gowld4y ago

Makefile, RPM , and shell all essentially do the same thing and have the same power to violate your system.

chunk_waffle4y ago

To re-iterate, for me its not really about the potential for abuse, its more about expectations. You can abuse anything (though I'd also argue that signed packages from companies like RedHat and Canonical are usually up to a higher standard than the random Shell script plucked from the internet.)

If someone places a shoe box on your doorstep you might expect shoes to be inside. Of course, there's a non zero chance its full of bees. But shoes are a reasonable guess.

If someone places a cardboard box on your doorstep with no writing on it whatsoever, there's no expectation about whats in the box. (Unless you hear the bees buzzing from a distance.)

eyelidlessness4y ago

Except it's been demonstrated you can detect a pipe to shell server-side.

j / k navigate · click thread line to collapse