Post AaheG3yEnACbBEjBQm by patterfloof@meow.social
(DIR) More posts by patterfloof@meow.social
(DIR) Post #Aafka4VIjJ0W2DCHlg by LionsPhil@plush.city
2023-10-11T10:52:20Z
14 likes, 12 repeats
Why are you stressing about arbitrary code execution vulnerabilities in #curl ? You were just going to pipe the output to sh anyway. :ablobcatcoffee:
(DIR) Post #AaheFrm68TMTM6xJqK by patterfloof@meow.social
2023-10-12T09:48:24Z
1 likes, 0 repeats
@LionsPhil I really hate those kind of installers. give me a distro package or the source code, don't try to be automagic about itespecially when the result of your install.sh is widly different between distributions
(DIR) Post #AaheG33ADMY4KE1bTE by mjgardner@social.sdf.org
2023-10-12T13:38:22Z
0 likes, 0 repeats
@patterfloof @LionsPhil Of course, you’re manually unpacking the deb or rpm or whatever and examining it. Or poring over the source and its configure script to make sure nobody snuck something into the morass that autotools generated.Right?
(DIR) Post #AaheG3yEnACbBEjBQm by patterfloof@meow.social
2023-10-12T13:45:12Z
1 likes, 0 repeats
@mjgardner @LionsPhil I'm trusting known distribution maintainers & normal software build methods, rather than random self-install run as root shell script
(DIR) Post #AaheINXyyglMTVYFV2 by aburka@hachyderm.io
2023-10-11T22:41:15Z
1 likes, 0 repeats
@lispi314 @LionsPhil Many many projects have `curl this.website | sh` (or even sudoing it, but that's less common thankfully) as the official installation instructions. Even Rust does it! https://www.rust-lang.org/learn/get-started
(DIR) Post #AaheJ0VW7mxpJ9hKZU by aburka@hachyderm.io
2023-10-11T22:43:50Z
1 likes, 0 repeats
@lispi314 @LionsPhil That rust install script is >700 lines. I would say there are many "sane" people who make the risk calculation to trust the site, out of convenience and/or knowing that it's not even going to be easy to spot something underhanded in an install script