[COFF] Re: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux]

[Larry McVoy <lm@mcvoy.com>]

I think you guys are on the same team but are maybe arguing with each
other more than is needed?

On Mon, Feb 27, 2023 at 06:23:32PM -0500, Chet Ramey wrote:
> On 2/27/23 5:01 PM, Dan Cross wrote:
> >On Mon, Feb 27, 2023 at 4:42 PM Chet Ramey <chet.ramey@case.edu> wrote:
> >>On 2/27/23 4:22 PM, Dan Cross wrote:
> >>>[COFF]
> >>>
> >>>On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey <chet.ramey@case.edu> wrote:
> >>>>On 2/27/23 4:01 PM, segaloco wrote:
> >>>>>The official Rust book lists a blind script grab from a website piped into a shell as their "official" install mechanism.
> >>>>
> >>>>Well, I suppose if it's from a trustworthy source...
> >>>>
> >>>>(Sorry, my eyes rolled so hard they're bouncing on the floor right now.)
> >>>
> >>>I find this a little odd. If I go back to O'Reilly books from the
> >>>early 90s, there was advice to do all sorts of suspect things in them,
> >>
> >>Sure. My sense is that the world is a less trustworthy place today, that
> >>there are more bad actors out there, and that promoting unsafe practices
> >>like this does little good. If practices like this become the norm (and
> >>they have), it gets very easy to trick someone (or worse, compromise the
> >>server and replace the script with something that does just a little bit
> >>extra). Blindly executing code you get from elsewhere as root isn't a
> >>great idea.
> >
> >FTR, you don't usually do this as root, as by default `rustup`
> >installs into $HOME.
> 
> You seem to be concentrating on `rustup', which is fine, it's your
> preferred example. But just because you don't run `sudo sh' when using
> `rustup' doesn't mean there aren't a disturbingly large number of
> installers -- or whatever -- for which that is the recommended workflow.
> Nor does the fact that `rustup' is a safe example mean that this is a safe
> practice in general. I posit that it's a bad idea in general to blindly
> run scripts you download from the Internet, and it's especially bad to
> do it as root. Depending on how you accept risk, you can choose to do
> things about it, but that's often not part of recommendations.
> 
> >I'm not sure how this is any less safe than downloading, say, a
> >tarball and running the contained `configure` script, except that in
> >the latter case one at least has the chance to look at the script
> >contents.
> 
> Yeah, but with configure you don't want to. :-). In any case, if you want
> to, you can have a workflow where you rebuild configure yourself.
> 
> >
> >>Look at the compromises the Python community has been dealing with
> >>recently, involving replacing common packages on well-known repository
> >>sites with malicious ones.
> >
> >That seems like an issue that is independent of the delivery mechanism.
> 
> I suppose it's workflow-dependent. If your workflow for python development
> involves using open-source components (ctx, pytorch, etc.) you get from
> some repository like PyPI, you're going to be susceptible to attacks like
> this.
> 
> 
> -- 
> ``The lyf so short, the craft so long to lerne.'' - Chaucer
> 		 ``Ars longa, vita brevis'' - Hippocrates
> Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/

-- 
---
Larry McVoy           Retired to fishing          http://www.mcvoy.com/lm/boat