undefined | Better HN

story

0 pointstlrobinson12y ago0 comments

Because people who use command lines / open source software generally have better judgement about this sort of thing than the average user?

You either have to trust Docker (a fairly well known project built by reputable people) isn't going to root your machine, or download the source yourself and audit it.

This is no worse than suggesting you "git clone whatever; cd whatever; make" (aside from the lack of SSL)

0 comments

jlgreco12y ago

> You either have to trust Docker

...and everybody else on my network, with that method. Doing that I don't even get the chance to think "Hey wait a second, why was this only 50 bytes of shell script...".

The reason that you see outrage for this "method" is because it is born of laziness and far too reminiscent of more disturbing times in computer security.

tlrobinsonOP12y ago

The original poster didn't say his issue was with the lack of HTTPS so I assumed he doesn't approve of this technique in general, but yes, I agree HTTPS should be used.

ics12y ago

> Because people who use command lines / open source software generally have better judgement about this sort of thing

Why do we need an instruction on downloading the source to begin with? It really just promotes bad habits with those who know no better, i.e. new/inexperienced developers. The problem is when people see instructions like that on 20% of the guides they read in earnest, trusting that everything is OK if enough people say it. One hopes they stumble upon a discussion like this so that they can consider the consequences but that just isn't going to happen to everyone. True, one should exercise equal caution while cloning, gem-ing[1], etc. It would be great if authors would just link to the source and paste the relevant lines from the README if necessary.

[1] http://andre.arko.net/2013/03/29/rubygems-openssl-and-you/

j / k navigate · click thread line to collapse