💾 Archived View for going-flying.com › ~mernisse › 13.gmi captured on 2022-01-08 at 13:37:39. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-04)
-=-=-=-=-=-=-
OK, this whole curl -fsSL my.self.hosted.rando.dangerous.url.xyz | bash way to distribute compiled binaries that the Rust and Golang communities are doing is not OK. Sober up and don't curl rando stuff into your shell and don't run rando binaries either.
I can't even begin to to shout 'I agree' loud enough. This pattern is so bad it isn't even funny. Add to it the fact that half the time the URL isn't even HTTPS and that most of the time the incantation is 'sudo curl ...' (or even more vomit-inducing `su -; curl ...') and you are just asking for someone to install a literal rootkit on your system. And yet given how awful this is it is the canonical installation method for homebrew!
The original author then goes on to throw similar shade at Rust's `cargo install` and golang's `go get` "features" and I cannot help but feel that the entire `modern software development` ecosystem is riddled with this crap that many years ago a group of co-workers and I dubbed the `trustme prompt`. The `trustme prompt` was born out of the horror of finding several internal wiki articles peppered with copy/paste commands and terrifyingly bad shell scripts that were in use by some junior sysadmins and is an allusion to blindly typing whatever you are told into the computer without the knowledge (or care) of what it does or the implications of it. (As an aside, most of the commands we found at the time were outdated and broken, and several were quite literally dangerous.) This `trustme code` is so widely used and so deeply integrated that often times the developers don't even know what is in their software.
https://www.zdnet.com/article/another-one-line-npm-package-breaks-the-javascript-ecosystem/
Dear friends, I beg of you, do not do these things.
🚀 © MMXX-MMXXI matt@going-flying.com