fsebugoutzone.org:9999

       Post 2008783 by ryen@hackers.town
 (DIR) More posts by ryen@hackers.town
 (DIR) Post #2004981 by feonixrift@hackers.town
       2018-12-15T10:54:39Z
       
       0 likes, 1 repeats
       
       `curl -s https://mailinabox.email/bootstrap.sh | sudo bash`Well that just noped the heck out.Never, EVER, curl | bash. Let alone curl | sudo bash. Are you insane?!
       
 (DIR) Post #2004997 by feonixrift@hackers.town
       2018-12-15T10:55:25Z
       
       0 likes, 0 repeats
       
       &amp; while I&#39;m at it, why would I ever trust a mail config to someone who thought that was a good idea. *shudders*I&#39;m sure they&#39;re very nice folks but that&#39;s over the top levels of nope.
       
 (DIR) Post #2005592 by amiloradovsky@functional.cafe
       2018-12-15T11:42:36Z
       
       0 likes, 0 repeats
       
       @feonixriftI&#39;d say it&#39;s not about `curl |`, but about reviewing scripts before running or not running them at all, and if running then with minimum permissions / maximum isolation.I&#39;m also wondering how `curl` handles TLS failures: will it refuse to download anything if there are problems with the certificates?
       
 (DIR) Post #2005730 by feonixrift@hackers.town
       2018-12-15T11:51:05Z
       
       0 likes, 0 repeats
       
       @amiloradovsky Yeah I mean like, either way, either I trust their work or I don&#39;t? But that just looks super sketchy. Especially when I&#39;m used to &#39;don&#39;t trust this download without checking the sha-256&#39;
       
 (DIR) Post #2006133 by amiloradovsky@functional.cafe
       2018-12-15T12:14:31Z
       
       0 likes, 0 repeats
       
       @feonixriftNo, it&#39;s not about an absolute trust, but the number of things that can go wrong.Checking hashes will only save you from using files, corrupted during the upload, download, or storage on the server — for somebody who&#39;s able to put there a malicious program for people to download, uploading also the matching hashes is likely not a problem.What does make sense is verifying signatures: GPG for the files/commits, and TLS certificates for the servers. ToFU is good enough.
       
 (DIR) Post #2007457 by ryen@hackers.town
       2018-12-15T13:30:38Z
       
       0 likes, 0 repeats
       
       @feonixrift but it just clones a git repo and runs a shell script that runs more scripts... I stopped counting at ~17.
       
 (DIR) Post #2008309 by feonixrift@hackers.town
       2018-12-15T14:27:31Z
       
       0 likes, 0 repeats
       
       @ryenYeah normally I just hold my nose and hit install... But I&#39;m starting to think normally I shouldn&#39;t.
       
 (DIR) Post #2008783 by ryen@hackers.town
       2018-12-15T14:58:41Z
       
       0 likes, 0 repeats
       
       @feonixrift I’m pretty sure most of us do. Sometimes you gotta have a little bit a trust in the community, because that’s a lot of time to comb through all those lines.
       
 (DIR) Post #2009211 by ellied@sleeping.town
       2018-12-15T15:20:43Z
       
       0 likes, 0 repeats
       
       @feonixrift at least if it&#39;s https, you&#39;re only granting unconditional trust to *one* website, right? :P
       
 (DIR) Post #2009580 by feonixrift@hackers.town
       2018-12-15T15:37:38Z
       
       0 likes, 0 repeats
       
       @elliedIf curl checked everything, I guess? I mean mail setup == root anyway so I&#39;d be trusting them either way but... This kind of procedure decreases the already slim chances that anything slipped into their install would get caught. And ... There was a post a while back about ways to make a server cough up different data on curl |  bash than on curl to file. It&#39;s a &#39;code smell&#39; thing but that kettle of fish has gone off.
       
 (DIR) Post #2009605 by ellied@sleeping.town
       2018-12-15T15:38:40Z
       
       0 likes, 0 repeats
       
       @feonixrift oh, yikes.Gods, curl | bash installers are such a coal seam fire.
       
 (DIR) Post #2011308 by pertho@bsd.network
       2018-12-15T17:04:59Z
       
       0 likes, 0 repeats
       
       @feonixrift All the hipsters are doing it! Look at rvm.io! :flan_molotov:
       
 (DIR) Post #2011543 by feonixrift@hackers.town
       2018-12-15T17:16:00Z
       
       0 likes, 0 repeats
       
       @perthoWtf eww :flan_molotov: is right.
       
 (DIR) Post #2011549 by pertho@bsd.network
       2018-12-15T17:16:46Z
       
       0 likes, 0 repeats
       
       @feonixrift More like ... :flan_set_fire:
       
 (DIR) Post #2040845 by rfox@mastodon.technology
       2018-12-17T00:37:16Z
       
       0 likes, 0 repeats
       
       @feonixrift I remember seeing a post on HN, talking about ways to detect when someone is piping curl to bash. You could download the script yourself, and you would get the correct one. If you piped the script straight in to bash, the server could send a different file. I don&#39;t see why you wouldn&#39;t download the script, verify it, and then execute it. It takes like 30 seconds more.