piping random scripts from the internet into bash is the worst way of installing things. imagine if there was an operating system where this was the main way of installing things, and people just googled the program name, clicked the first link, and ran an executable file with admin permissions. imagine that
@lynnesbian same x.x
@lynnesbian forget PCMR, it's time for PMMR (Package Manager Master Race)
@lynnesbian is it a wholly custom installer?
@a_breakin_glass hmm? :o
@lynnesbian like, you can extract nullsoft installers with 7zip apparently
@a_breakin_glass ahh ok
that's still an extra step though
@axiom this is very cursed
@lynnesbian we have you cover for very low ruble
@lynnesbian "curl | sudo bash" is a bad idea even if you inspected the script before because it is possible for a web server to detect this and only send you malicious code in that case, serving harmless code otherwise if you download the file to inspect it before running it: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
Of course that doesn't make running obfuscated binary executables without any signatures from random web servers any more reasonable either.
@silentium that is a very interesting attack vector
i would still assume that there's pretty much nobody using this, whereas windows installers that turn out to be viruses are more common than that
@lynnesbian You are probably right, but it is still a bad idea for project websites to propagate this as their primary way of installing their software. It leads to people getting used to this behaviour and be careless with other "curl | bash" instructions in the future as well.
@silentium yeah i agree, curl | bash is a pretty bad idea
@lynnesbian or downloading a downloader for the download (and a nice toolbar you didn't know you need) and running that with admin permissions
@lynnesbian Windows complains loudly when you run an executable file that's not signed, though.
@lynnesbian what difference does it make whether i trust
a) the software's author and the ca chain, or
b) the software's author, the ca chain, and some volunteer distro package maintainer
Ironically has security equivalent to most Linux package repositories.
Removing other folks from the thread. I don't really want to get into a rock-em-sock-em debate since I said my original comment only half seriously.
But seriously for a moment, what you said is a value judgement. You're telling me what you have decided to do, but I think an awful lot of people implicitly trust ISVs. Unless you're using a heavily sandboxed OS like Qubues or iOS, it seems like a pretty intense trust relationship. Both are equally applicable, although they can have different consequences.
By the logic you've laid out, you're making a case I should trust Microsoft and Ubuntu equally since I use both their platforms, but that's not true. So I can't help but remain unconvinced by it.
How many personal PPAs have you added? Are those different?
So I guess you just run old software all the time. Which is a luxury I wish I had. :)
Cool, but. We're so far afield of the original point. Anyone who can run void Linux can safely is a curl sh download, and their security standards are even more obscure.
The simple reality is that curl|sh gets much more hate than ppa's or build-from-source or "download this Deb" and folk's response is, "I super trust that those minimal requirements my OS put down are enough to make our pre-shared public key trust root safe."
But I see this as analogous to NodeJS's woes. All it will take is one person to get control of a critical package and slow roll and issue and we'll all be in the same boat.
That's why I use Qubes when I can. Then, I can actually use a computer like a human and have some degree of confidence that if I use it on a day when my judgement is impaired I'm not automatically totally fucked.
As a general rule, I object to creating security whipping targets because they tend to give a false sense of security to people. Hence I like pointing out curl https:// | sh is essentially a model that lots of people already are trusting.
The response is often "nuh-uh!" but you'll note the thread author here pretty much saw what I was saying and agreed as opposed to trying to lawyer their way into being right.
Maintainers are authority, and around these parts we demand authority justifies itself.
I don't know if void Linux has done that for you, but none of the OS's we have discussed here have sufficiently done it for me except the ones with hard segmentation.
Systemd is not cost me millions of dollars the way runit has, and it's less monolithic than runit. I humbly suggest that you give OSs using it a chance.
Not just because there's a lot of FUD about it, it also because fast boots are security feature. The enable you to turn off your computer more, Which intern makes you much more resistant to cold boot attacks.
Do you know who did that vetting or what their criterion was? Or how often they vet?
That is a thing SSL certs can do.
Thinking on it, maybe the big advantages of packages is that they tend to have a signature over all the binary files as opposed to the status quo of bash scripts leading to other hard-to-audit downloads, and take that as an atomic unit.
It's not really harder to make a package do a dumb thing, but you have less reason to.
@lynnesbian Also, Arch is a distribution target toward *expert* users. If you use AUR, you are supposed to know exactly what you are doing.
@lynnesbian i mean i downloaded a virus from windows update once so there's always a risk even on vetted channels 🤷
@lynnesbian What about all them custom ubuntu repos? (Redhat user so might have the terms wrong) Aren't they all like sketchy?
@Awoo they're certainly less reliable, yeag
@email@example.com's anti-chud pro-skub instance for funtimes