Follow

piping random scripts from the internet into bash is the worst way of installing things. imagine if there was an operating system where this was the main way of installing things, and people just googled the program name, clicked the first link, and ran an executable file with admin permissions. imagine that

seriously though after having used a package manager windows just scares me

at least with piping a bash script you can look at what it's doing first, there's not really anything you can do to make sure InstallFreeGame.exe isn't doing anything bad

good thing everyone either uses chocolatey/scoop or the windows store, right

right

right guys

all these people replying about how package managers are the same thing wth

who are all these people who managed to download a virus from the debian repos or whatever

and before someone tells me about the aur

the arch wiki tells you never to trust the aur, forbids aur managers from being added to the main repos (so you have to go out of your way to install them), and recommends that you read every install script before running it

@lynnesbian "curl | sudo bash" is a bad idea even if you inspected the script before because it is possible for a web server to detect this and only send you malicious code in that case, serving harmless code otherwise if you download the file to inspect it before running it: idontplaydarts.com/2016/04/det

Of course that doesn't make running obfuscated binary executables without any signatures from random web servers any more reasonable either.

@silentium that is a very interesting attack vector

i would still assume that there's pretty much nobody using this, whereas windows installers that turn out to be viruses are more common than that

@lynnesbian You are probably right, but it is still a bad idea for project websites to propagate this as their primary way of installing their software. It leads to people getting used to this behaviour and be careless with other "curl | bash" instructions in the future as well.

@lynnesbian hahahaha
little do you know, servers can detext if you're piping into bash or not. so if you curl to read the script, it can send you something harmless, and then when you curl to pipe into bash, it can send you another thing

i hate computers

@dunnofam yeah i saw that

piping into bash is a bad idea, it's just not as bad an idea

@dunnofam that's true, if you do it that way it solves that issue

@lynnesbian or downloading a downloader for the download (and a nice toolbar you didn't know you need) and running that with admin permissions

@lynnesbian Windows complains loudly when you run an executable file that's not signed, though.

@jkb @lynnesbian Yes, but the OS trains it's users to ignore those complaints by annoying them with false positive "ARE YOU SURE?!" prompts for every installation.

@lynnesbian what difference does it make whether i trust

a) the software's author and the ca chain, or

b) the software's author, the ca chain, and some volunteer distro package maintainer

@lynnesbian

Ironically has security equivalent to most Linux package repositories.

@endomain @lynnesbian no it doesn't? the packages you download still have the authority granted by tls, just like a reasonably secure curl | bash installation would, but also have their own cryptographic signatures and the curation of the repository maintainer

@endomain @lynnesbian also a package from a repository can't be half downloaded and then executed partway through, causing unintended behaviour, which can absolutely happen with curl | bash

not a security issue as such but still worth noting

@00dani

@lynnesbian

True, but it's hardly fair to cite the curlscript method for unreliability when package installations break for other reasons.

@00dani

@lynnesbian

Which are just another version of SSL certs only without a global registry? Say what you will about the morality of a central trust root for SSL, it's a bigger hoop than "hit up my ppa".

@endomain @00dani

PPAs are nowhere near as secure as the default ubuntu repos, yes

@lynnesbian

@00dani

So then the extra security (in the model) would be if we believed the Ubuntu repo keys are more secure than their SSL cert.

I'm willing to entertain this but offhand I can't imagine why that would be.

@endomain @lynnesbian @00dani Because if you installed Ubuntu, you presumably trust the Ubuntu maintainers not to put malware in their packages.

@alexbuzzbee

@lynnesbian @00dani

Does this logic not extend to curl | bash? Presumably we're talking about cases where the user trusts.

@endomain @lynnesbian @00dani No, it does not. Your operating system maintainer is someone you already trust, who is certifying (by creating, signing, and distributing the package) that the software meets their standards. No such standards are applied to software you install by curl | sh, unless you independently verify the software and its installer.

@alexbuzzbee

Removing other folks from the thread. I don't really want to get into a rock-em-sock-em debate since I said my original comment only half seriously.

But seriously for a moment, what you said is a value judgement. You're telling me what you have decided to do, but I think an awful lot of people implicitly trust ISVs. Unless you're using a heavily sandboxed OS like Qubues or iOS, it seems like a pretty intense trust relationship. Both are equally applicable, although they can have different consequences.

By the logic you've laid out, you're making a case I should trust Microsoft and Ubuntu equally since I use both their platforms, but that's not true. So I can't help but remain unconvinced by it.

@endomain It comes down to this: Packages in an OS repository have been vetted by somebody. Software you install through curl | sh has not been. Software that is not malicious will not be in the OS repo unless the OS maintainer is evil or has been tricked, both of which are relatively unlikely.

If you run Windows and expose it to your information, you do trust Microsoft at least somewhat. Probably, and hopefully, not as much as the Ubuntu maintainers, but at some level.

@endomain Literally anyone with an Internet connection and some basic Web and Unix skills can put up a fancy site describing some awesome software and tell you to run curl | sh to install it. That is not the case with publishing software in a package repository.

@alexbuzzbee

How many personal PPAs have you added? Are those different?

@endomain PPAs aren't secure. You should not trust them any more than you would trust curl | sh. Additionally, I'm not running Ubuntu, so the concept doesn't exactly apply to me, but I have no third-party repos configured; I install everything I can from the official repos, and when I can't, I look into the software I'm installing first and find an AppImage or a source tarball.

@alexbuzzbee

So I guess you just run old software all the time. Which is a luxury I wish I had. :)

@endomain I run Void Linux, which packages new software versions relatively quickly, so I'm mostly up-to-date. Ubuntu is slow to update mainly because its upstream is Debian, which is well-known as the stable and slow-moving distro.

@alexbuzzbee

Cool, but. We're so far afield of the original point. Anyone who can run void Linux can safely is a curl sh download, and their security standards are even more obscure.

The simple reality is that curl|sh gets much more hate than ppa's or build-from-source or "download this Deb" and folk's response is, "I super trust that those minimal requirements my OS put down are enough to make our pre-shared public key trust root safe."

But I see this as analogous to NodeJS's woes. All it will take is one person to get control of a critical package and slow roll and issue and we'll all be in the same boat.

@alexbuzzbee

That's why I use Qubes when I can. Then, I can actually use a computer like a human and have some degree of confidence that if I use it on a day when my judgement is impaired I'm not automatically totally fucked.

@alexbuzzbee

As a general rule, I object to creating security whipping targets because they tend to give a false sense of security to people. Hence I like pointing out curl https:// | sh is essentially a model that lots of people already are trusting.

The response is often "nuh-uh!" but you'll note the thread author here pretty much saw what I was saying and agreed as opposed to trying to lawyer their way into being right.

@endomain I will agree that people do insecure things a lot more than they think, but I don't believe that "install a package selected, assembled, and signed by a trusted maintainer" is an insecure model, and it is the default way that Linux users install software as long as you don't modify the package manager configuration.

Show more

@endomain Qubes is nice. I've considered it quite a few times, and I may still switch to it at some point. My main problem has been that I don't particularly like systemd (I'm not going to get into that right now), and Qubes' dom0 is systemd-based.

@alexbuzzbee

Systemd is not cost me millions of dollars the way runit has, and it's less monolithic than runit. I humbly suggest that you give OSs using it a chance.

Not just because there's a lot of FUD about it, it also because fast boots are security feature. The enable you to turn off your computer more, Which intern makes you much more resistant to cold boot attacks.

Show more

@alexbuzzbee

Do you know who did that vetting or what their criterion was? Or how often they vet?

Sign in to participate in the conversation
Lynnestodon

@lynnesbian@fedi.lynnesbian.space's anti-chud pro-skub instance for funtimes