going-flying.com gemini git repository
6e7248483e207c33de472e2fdc6a2a046290560b - Matthew Ernisse - 1599085919
newpost
diff --git a/users/mernisse/articles/13.gmi b/users/mernisse/articles/13.gmi new file mode 100644 index 0000000..e65477d --- /dev/null +++ b/users/mernisse/articles/13.gmi @@ -0,0 +1,38 @@ +--- +Title: Re: Curling up inside my private bash pipes +Date: 09/02/2020 18:10 +In-Reply-To: gemini://idiomdrottning.org/no-curl-bash.gmi + +> OK, this whole curl -fsSL my.self.hosted.rando.dangerous.url.xyz | bash way to distribute compiled binaries that the Rust and Golang communities are doing is not OK. Sober up and don't curl rando stuff into your shell and don't run rando binaries either. + +I can't even begin to to shout 'I agree' loud enough. This pattern is so bad +it isn't even funny. Add to it the fact that half the time the URL isn't even +HTTPS and that most of the time the incantation is 'sudo curl ...' (or even +more vomit-inducing `su -; curl ...') and you are just asking for someone to +install a literal rootkit on your system. And yet given how awful this is it +is the canonical installation method for homebrew! + +=> https://brew.sh + +The original author then goes on to throw similar shade at Rust's `cargo +install` and golang's `go get` "features" and I cannot help but feel that the +entire `modern software development` ecosystem is riddled with this crap that +many years ago a group of co-workers and I dubbed the `trustme prompt`. The +`trustme prompt` was born out of the horror of finding several internal wiki +articles peppered with copy/paste commands and terrifyingly bad shell scripts +that were in use by some junior sysadmins and is an allusion to blindly typing +whatever you are told into the computer without the knowledge (or care) of +what it does or the implications of it. (As an aside, most of the commands we +found at the time were outdated and broken, and several were quite literally +dangerous.) This `trustme code` is so widely used and so deeply integrated +that often times the developers don't even know what is in their software. + +=> https://www.zdnet.com/article/another-one-line-npm-package-breaks-the-javascript-ecosystem/ + +Dear friends, I beg of you, do not do these things. + +* Copy/paste commands from a website without understanding them +* Run some random script from somewhere without understanding it +* Run *anything* as root that you do not understand **and** trust +* Give strangers access to your software by including code by reference +