From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_ADSP_CUSTOM_MED,
	DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI
	autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 12544 invoked from network); 27 Feb 2023 22:08:19 -0000
Received: from minnie.tuhs.org (2600:3c01:e000:146::1)
  by inbox.vuxu.org with ESMTPUTF8; 27 Feb 2023 22:08:19 -0000
Received: from minnie.tuhs.org (localhost [IPv6:::1])
	by minnie.tuhs.org (Postfix) with ESMTP id A53FD432DB;
	Tue, 28 Feb 2023 08:08:17 +1000 (AEST)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135])
	by minnie.tuhs.org (Postfix) with ESMTPS id ACE44432D9
	for <coff@tuhs.org>; Tue, 28 Feb 2023 08:08:10 +1000 (AEST)
Received: by mail-lf1-x135.google.com with SMTP id f18so10580141lfa.3
        for <coff@tuhs.org>; Mon, 27 Feb 2023 14:08:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=OlJ+xs0f7v5hI9TCGbANRojkZ2iVkaWwZ7JXleQwu2w=;
        b=aQUe9y2BJXMpFVkrrkWRaVCzQcZTMo0ZebHIe8Msj1TjQ22K3xaPaAomCq8VrDfCOU
         fOJgn5zZN5Z0QDT2GSBtagbG8alRzVVw63LdECDFhW9i6jujgvm+Qnqk6Iogf3NZKlLa
         M7AhKxMF/YEjG7+xocxMQMYVfsAYg8msiTzQId2h66oMsR8X/Ppxvk4eiyNBuMPMw5JP
         l3FzeKperBc2MW3FWjSYt573tZ+XKoBtieHxp889R7SF4qSR3MopQCC1hxfagXYXbiBN
         JPbpIJOlYPeiak24ggsMWwZr81wLC64KI4ADa0hqsKL27Ro7+T3psUjzkkNsjhlkRTcn
         GBLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=OlJ+xs0f7v5hI9TCGbANRojkZ2iVkaWwZ7JXleQwu2w=;
        b=jYk6vpJP6kfLaREGehA+CoXzD8Ba4gNIpgSl3MkXGDlHz0nhvJlTITsaMdgOiD7ToD
         xpBZmMfSVb58xrbgu0RY1mafpUgmqRP7tkgCxxrO+5wP5KqXyjtVosbl+Iu8ZxWz9NHP
         /A7tyHdbmxsKkdOSCmm2coLrYfYQktos+Qpe99Psx+EIQiho88ogulPFgyA8ek/6kJS3
         MWJWBmi0t31nNY5PquYAK5RJ347Wd4VBoAXJF11p4PqzECnk59QXppyD08h9BAFapgIO
         kBgtSqySXjTPzJRL7dpQMmfiHS6qX63UNmJjkgoaL7iGKBEiCRYjBE2GwboMjsRVbCCQ
         Qu0w==
X-Gm-Message-State: AO0yUKUT0qwjtynWAVGbB1qoaICUXNdVq9Ekd4jqLqxLOQ+Ur7zXjMHZ
	o1Fjgrt/Ahcxj+SYvdAyXOsuS3xBWsvM/nFyjzH/roeE2s0=
X-Google-Smtp-Source: AK7set+3aEWWRWTU7bk6HHvE6cf0S2domAAe0oYtoSbHF7DskpbvcT4EF2G9HaZtVq9JT65HoymhHpnc3UAYkgHRJXI=
X-Received: by 2002:ac2:4837:0:b0:4dc:807a:d149 with SMTP id
 23-20020ac24837000000b004dc807ad149mr30346lft.10.1677535688598; Mon, 27 Feb
 2023 14:08:08 -0800 (PST)
MIME-Version: 1.0
References: <16241ceb-fe92-7f25-bda0-0b327847728d@case.edu>
 <B7F6403D-E276-490B-AB11-835141F31339@iitbombay.org> <vNaSB1ygm5HY-rV-WScmTmerF0acmZicvrUsW4kpDQ-n0-rpXSNQTh9V6mMHVLEbH6cjpXIQrHM8U4Oc4e6vzzA1sGF2eM9lxXqUbEn2bfc=@protonmail.com>
 <735c811e-62ce-5384-b83f-a3887baac89d@case.edu> <CAEoi9W6F__U=TVSkPgNbBHYyjhYPQjHPnMPoOvaz6QPF466w0Q@mail.gmail.com>
 <8A7D978F-88A0-491D-90A3-A1CE843B3698@me.com>
In-Reply-To: <8A7D978F-88A0-491D-90A3-A1CE843B3698@me.com>
From: Dan Cross <crossd@gmail.com>
Date: Mon, 27 Feb 2023 17:07:32 -0500
Message-ID: <CAEoi9W6KaPzB6RidtB62SfSbv0KCyJpZ6x1DiRp0YnHuat0Ppw@mail.gmail.com>
To: Michael Stiller <mstiller@me.com>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: HUBUY6MXK2HYX4MNTB574DP7VXNQONR2
X-Message-ID-Hash: HUBUY6MXK2HYX4MNTB574DP7VXNQONR2
X-MailFrom: crossd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: segaloco <segaloco@protonmail.com>, COFF <coff@tuhs.org>
X-Mailman-Version: 3.3.6b1
Precedence: list
Subject: [COFF] Re: [TUHS] Generational development [was Re: Re: Early GUI on Linux]
List-Id: Computer Old Farts Forum <coff.tuhs.org>
Archived-At: <https://www.tuhs.org/mailman3/hyperkitty/list/coff@tuhs.org/message/HUBUY6MXK2HYX4MNTB574DP7VXNQONR2/>
List-Archive: <https://www.tuhs.org/mailman3/hyperkitty/list/coff@tuhs.org/>
List-Help: <mailto:coff-request@tuhs.org?subject=help>
List-Owner: <mailto:coff-owner@tuhs.org>
List-Post: <mailto:coff@tuhs.org>
List-Subscribe: <mailto:coff-join@tuhs.org>
List-Unsubscribe: <mailto:coff-leave@tuhs.org>

On Mon, Feb 27, 2023 at 4:52 PM Michael Stiller <mstiller@me.com> wrote:
> > I find this a little odd. If I go back to O'Reilly books from the
> > early 90s, there was advice to do all sorts of suspect things in them,
> > such as fetching random bits of pieces from random FTP servers (or
> > even using email fetch tarballs [!!]). Or downloading shell archives
> > from USENET.
> >
> > And of course you _can_ download the script and read through it if you want.
>
> This does not help, you can detect that on the server and send something else.

What? You've already downloaded the script. Once it's on your local
machine, why would you download it again?

> https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

If I really wanted to see whether it had been tampered with, perhaps
spin up a sacrificial machine and run,

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | tee the.script | sh

and compare to the output of,

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs >
the.script.nopipeshell

        - Dan C.