this post was submitted on 21 May 2024
205 points (96.4% liked)

Programming

17443 readers
172 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
 

New favorite tool 😍

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 27 points 6 months ago (1 children)

I would encourage you to actually think about whether or not this is really true, rather than just parroting what other people say.

I would encourage you to read up on the issue before thinking they haven't.

See if you can think of an exploit I perform if you pipe my install script to bash, but I can’t do it you download a tarball of my program and run it.

Here is the most sophisticated exploit: Detecting the use of "curl | bash" server side.

It is also terrible conditioning to pipe stuff to bash because it's the equivalent of "just execute this .exe, bro". Sure, right now it's github, but there are other curl|bash installs that happen on other websites.

Additionally a tar allows one to install a program later with no network access to allow reproducible builds. curl|bash is not repoducible.

Anti Commercial-AI license

[–] [email protected] -5 points 6 months ago (2 children)

But..."just execute this .exe, bro" is generally the alternative to pipe-to-Bash. Have you personally compiled the majority of software running on your devices?

[–] [email protected] 5 points 6 months ago (1 children)

Are you seriously comparing installing from a repo or "app store" to downloading a random binary on the web and executing it?

P.S I've compiled a lot of stuff using nix, especially when it's not in the cache yet or I have to modify the package myself.

Anti Commercial-AI license

[–] [email protected] -1 points 6 months ago

No, I agree that a package manager or app store is indeed safer than either curl-bash or a random binary. But a lot of software is indeed installed via standalone binaries that have not been vetted by package manager teams, and most people don't use Nix. Even with a package manager like apt, there are still ways to distribute packages that aren't vetted by the central authority owning the package repo (e.g. for apt, that mechanism is PPAs). And when introducing a new piece of software, it's a lot easier to distribute to a wide audience by providing a standalone binary or an install script than to get it added to every platform's package manager.

[–] [email protected] 12 points 6 months ago (2 children)

No, it was compiled by the team which maintains my distro's package repository, and cryptographically verified to have come from them by my package manager. That's a lot different than downloading some random executables I pulled from a website I'd never heard of before and immediately running them as root.

[–] [email protected] 2 points 5 months ago

Everything you've ever needed was available in your distro's package manager?

[–] [email protected] -2 points 6 months ago

Yes, I agree package managers are much safer than curl-bash. But do you really only install from your platform's package manager, and only from its central, vetted repo? Including, say, your browser? Moreover, even if you personally only install pre-vetted software, it's reasonable for new software to be distributed via a standalone binary or install script prior to being added to the package manager for every platform.