Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
hachyderm.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hachyderm is a safe space, LGBTQIA+ and BLM, primarily comprised of tech industry professionals world wide. Note that many non-user account types have restrictions - please see our About page.

Administered by:

Server stats:

9.2K
active users

hachyderm.io: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Public
Cassandrich

@marcan@treehouse.systems @theartlav > not just "someone may sub in a malicious script...

Not only is that still relevant, just not usually the biggest problem; validating the curlbash antipattern by copying it, even in a context where it's less dangerous, seems bad too.

Public
Cassandrich

@marcan@treehouse.systems @theartlav The flip side is it detracts from your credibility when you do it. Folks know "curlbash bad, projects recommending it are security clowncars" as a rule but don't understand the subtleties to evaluate "well in this instance it's not as bad".

Public
Geoffrey Thomas

@dalias @marcan @theartlav But there is no such rule! Plenty of projects that are _not_ security clowncars recommend curl|bash for thoughtful reasons. Plenty of projects that are security clowncars ship source tarballs with unreproducible ./configure scripts.

There is a _perception_ that it's bad, yes. I think a respected project using curl|bash is just as likely to to rehabilitate curl|bash and fix that perception, especially if (as here, as Sandstorm did, etc.) they write about why it's okay.

Public
Cassandrich

@geofft @marcan@treehouse.systems @theartlav curlbash should not be "rehabilitated". It's *always wrong*, just to varying degrees.

Your comparison of "unreproducible configure scripts" doesn't work because the scope of those is such that they run fine in a build sandbox where you discard everything but the build artifacts. curlbash on the other hand is full of commands to install packages, modify config files, etc.

Public
Geoffrey Thomas

@dalias @marcan @theartlav Do any users who are not aware of the risks of curl|bash run ./configure in a build sandbox?

Also what build sandbox do you use? I would like to try to escape it. :)

Cassandrich

@geofft @marcan@treehouse.systems @theartlav The question is not whether users unaware of the risks of curlbash do that.

The question is whether users who are aware of the risks have a viable path to install without reverse engineering the curlbash garbage somebody shipped in place of build/installation instructions.

May 23, 2024, 01:34 PM·Public·Web
2boosts·2favorites
Public
Cassandrich

@geofft @marcan@treehouse.systems @theartlav The sandbox I use for builds is not claimed to be tight against outright intentional malice, but at least against malice that folks shipping software think is them being "helpful". If you want to play with escapes I'd love to hear your results. github.com/richfelker/usand

GitHubGitHub - richfelker/usand: usand - convenient and minimal unshare(1)-based sandboxusand - convenient and minimal unshare(1)-based sandbox - richfelker/usand
Public
Clock glitched...nd yr secrets

@dalias @geofft @marcan @theartlav Similar tool based on unshare and overlayfs - github.com/binpash/try

It's not supposed to be secure against outrigh malice, but useful in figuring out what build/install script is going to do to filesystem.

You can also get a shell into the temporary "installed" FS to inspect changes.

GitHubGitHub - binpash/try: Inspect a command's effects before modifying your live systemInspect a command's effects before modifying your live system - binpash/try
Quiet public
Jan <3

@cr_mode @dalias @geofft @marcan@treehouse.systems @theartlav wow this is sick

ExploreLive feeds
About