This would also explain why it's pointed at the developer's server, rather than a GitHub URL: if it were a GitHub URL, it would be impossible to do malicious substitutions like this.
http://web.archive.org/web/20240406132938/https://www.idontp... (archive because HSTS and the cert is expired).
The point is: all these zsh kitchen sink projects try to be all-in-one-fits-everyone tools that unfortunately fail this way or another and sometimes are very opinionated. I have to admit they are good for starters and for those who want to delve into the guts of zsh (and shells in gerenal) in order to tailor your own config in the end. But not this one! This looks like hell from all perspectives.
- I volunteered to help make the Bash and ZSH logos
- I have nothing to do with "zi", I never heard of that project or the people involved.
Thank you.
I think the lesson of this small aspect of the "zi" tale is that one should strive to have a single source of truth (a single copy of the data served at the URL), and that in security contexts one needs to be very precise with exactly which guarantees have been established for which data at which point in time: it is surprisingly easy to implicitely add an assumption like "GET requests returning 200 OK behave like pure functions".
[1]: Though this might just be me piling on the mockery of their project, for my own amusement and schadenfreude.
[2]: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b..., alternatively https://web.archive.org/web/20240406132938/https://www.idont..., discussed here e.g. https://news.ycombinator.com/item?id=11532599 (122 comments)
[3]: I am not sure if zsh behaves like bash in this case, as in: Does zsh only read part its input before it starts executing commands?
To update, do an upstream merge after comparing the diff
https://web.archive.org/web/20200309073226/https://github.co...
Probably it is an experiment to see how many people will fall for this.
Well, it appears they do acknowledge it's a fork at least, but agreed I wouldn't want this on my computer. The toctou issue is ... Bleh.
This is all that is in my zshrc:
# Install Zi if not already installed
if [[ ! -f $HOME/.zi/bin/zi.zsh ]]; then
print -P "%F{33} %F{160}Installing (%F{33}z-shell/zi%F{160})…%f"
command mkdir -p "$HOME/.zi" && command chmod go-rwX "$HOME/.zi"
command git clone -q --depth=1 --branch "main" https://github.com/z-shell/zi "$HOME/.zi/bin" && \
print -P "%F{33} %F{34}Installation successful.%f%b" || \
print -P "%F{160} The clone has failed.%f%b"
fi
I don't have a dog in this but this is clearly an overreaction. ss-o has put a lot of time into this and made the best zsh plugin manager imo. Calling it "scammy looking" and "boo hoo he works in marketing" is a cheap blow.
It can of course all be unfortunate accidents (and still has a good chance to be such), but that means nothing - a malicious person would of course try to make all their actions seem as such.
[0]: https://github.com/z-shell/zi/issues/287, though it doesn't notice the double-curl in "verified" being a massive security issue which makes it worse than useless
To clarify one thing, I'm not concerned that they "work in marketing". I am concerned that that the marketing page is fake: it's a bunch of AI generated faces and fake LinkedIn profiles. This does not lead me to the conclusion that they work in marketing at all.
As for your version of the script, it still strikes me as a _little_ weird (why put a self-install inside the .zshrc that is only expected to run once per system you have it on), but clearly far less concerning than the version they have in the current docs.
All code execution involves some degree of trust. There's enough here to make me personally not trust the developer, but if the information here doesn't give someone else the same qualms, that's entirely fine.
It's not my version of the script, it's what his auto-installer did to my zshrc, which I've retained.
And the purpose of a self-install in the zshrc is twofold: portability to new systems, ie when I moved from macOS to Arch, my zshrc could stay mostly the same, and package management stuff. You may not be familiar with zshell/zinit forks but one can also use them as general package managers (https://wiki.zshell.dev/ecosystem/packages/synopsis) and do pretty cool shim stuff as well (https://wiki.zshell.dev/ecosystem/annexes/bin-gem-node) (https://zdharma-continuum.github.io/zinit/wiki/Annexes/).
I don't think the genuine issues brought up (his new silly way of auto-installing zshell, etc) warrant the reaction this is getting (unixorn taking it off of awesome-zsh-plugins, etc).
Issue was from last september so he's pretty behind but--accusations of being malicious/scammy are not credible.
For instance:
alias ls='ls -F'>By which I mean, his project is beating zsh.org itself in my search for "zshell"
Ouch! This is probably the most damning thing in this whole article. If I worked at Google I would hang my head in shame at how lousy Search results have gotten, but I think the staff at Google have been too busy playing in the company ball-pit to care
And no one is searching for zshell either: https://trends.google.com/trends/explore?q=zshell,zsh,ksh,cs...
In short, the example is invalid.
That said, my ranking on Google for "zshell" is Oh My Zsh, the Wikipedia article (which is titled "Z shell"), zsh.sourceforge.org, and zshell.dev, in that order. DDG is similar, except the spam site https://zshwiki.org is ranked just before zshell.org ("The Zsh framework can be used to develop LGBT inclusion initiatives [..] One of the first steps in promoting LGBT inclusion is increasing awareness of the issue among porno gay employees").
It may have better SEO as well, but the main point is that, to rise above the authoritative source, it actually also is performing way better in terms of user metrics.