From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 29960 invoked from network); 28 Feb 2023 00:29:26 -0000 Received: from minnie.tuhs.org (50.116.15.146) by inbox.vuxu.org with ESMTPUTF8; 28 Feb 2023 00:29:26 -0000 Received: from minnie.tuhs.org (localhost [IPv6:::1]) by minnie.tuhs.org (Postfix) with ESMTP id B3F3F42251; Tue, 28 Feb 2023 10:29:24 +1000 (AEST) Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) by minnie.tuhs.org (Postfix) with ESMTPS id F103042230 for ; Tue, 28 Feb 2023 10:29:20 +1000 (AEST) Received: by mail-lf1-x12b.google.com with SMTP id m6so10988616lfq.5 for ; Mon, 27 Feb 2023 16:29:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Sr8RJ0gt/HOZhyWBpn/GLIGhpzqi7Zr5cDDwAIjCKzU=; b=TlmZhZFgnBHUYNHRu+Ae5xmZaBbO8qrQRGBV52mk6lz0YnRS3ml9XiaE9zs42n9mrO yKOYjoWVlTMInIoULaD8yp3l3NccMA685DnZ7yE3PnQakGLK4xPncG+EoIp7OMZRVQ9n 6XzCERkFb23JelLsTT34cpP64YINoJ7KDa4QokfLa6i8bUxAGOtibcF5kpSox5bUuotE wON+ShwpTQKiDKPhcCRweeEIE7cYN1V/VxZT3BEED+N0ylDRC1Bm3ENdOLQLmr8gMkWd g3EuTw58aUqDIW5wXaWEYQHNyeEUT8c7A2oFR8JEDpT0oCbxitQtFGfvWugZ60z/BpZH NfKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Sr8RJ0gt/HOZhyWBpn/GLIGhpzqi7Zr5cDDwAIjCKzU=; b=sMMBxVAa7KY57Y/BMJSQkv479xx/zYWZMejuqciX4vqdJuMn1aTpHKeJR9rsP5lDAy i9g/PfqTgp+cwILkpsui/Btn0AaOlxUsXzw8dmqcWWJNqS/UUmr0G6CgMVaEob1VU4R5 uPxe7FD/dVfyA73Cixv6+jez6STAzpBmPBMcgScaAIx5BbyklxWps0pbn+LG6Yz/sf5W VzQtG8MYJR4A+x9RdI2Vd5laQcggAiWNizeRQWlel5Q37Nt0P9H8Z2Idj1SgVp8IuqML 8oeEK5/yc+8jNKi4JfekAojP8loMsQkmniCXaPQ9/X4ooYpj3lyuEft4DWdc7yPgQ/l6 VF/w== X-Gm-Message-State: AO0yUKUSMRCTCFsgx8mSjeQ/9DhPtiW01GjG4weBwXnxPeNKJUYCfETP d8W6TktjuwOrPNQPMsqoAPugh6vh901wBOIOiT4= X-Google-Smtp-Source: AK7set8VNZ/liY7lw/Erw82ILy3GBtZUfZwaq7ofl9YFvcgvgiZ30e/SLl5j2B1isXsfaMXGRLZP/rAtX6JfbYdXdYA= X-Received: by 2002:ac2:5197:0:b0:4d5:ca43:7047 with SMTP id u23-20020ac25197000000b004d5ca437047mr126589lfi.10.1677544158585; Mon, 27 Feb 2023 16:29:18 -0800 (PST) MIME-Version: 1.0 References: <16241ceb-fe92-7f25-bda0-0b327847728d@case.edu> <735c811e-62ce-5384-b83f-a3887baac89d@case.edu> <5a7aa991-7656-3faf-b34a-d613736716fd@case.edu> In-Reply-To: From: Dan Cross Date: Mon, 27 Feb 2023 19:28:42 -0500 Message-ID: To: chet.ramey@case.edu Content-Type: text/plain; charset="UTF-8" Message-ID-Hash: LVG6MHTCUGE7YTYQQ5BEILRTSTCK64PR X-Message-ID-Hash: LVG6MHTCUGE7YTYQQ5BEILRTSTCK64PR X-MailFrom: crossd@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: segaloco , COFF X-Mailman-Version: 3.3.6b1 Precedence: list Subject: [COFF] Re: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux] List-Id: Computer Old Farts Forum Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Mon, Feb 27, 2023 at 6:36 PM Chet Ramey wrote: > On 2/27/23 5:01 PM, Dan Cross wrote: > > On Mon, Feb 27, 2023 at 4:42 PM Chet Ramey wrote: > >> On 2/27/23 4:22 PM, Dan Cross wrote: > >>> [COFF] > >>> > >>> On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey wrote: > >>>> On 2/27/23 4:01 PM, segaloco wrote: > >>>>> The official Rust book lists a blind script grab from a website piped into a shell as their "official" install mechanism. > >>>> > >>>> Well, I suppose if it's from a trustworthy source... > >>>> > >>>> (Sorry, my eyes rolled so hard they're bouncing on the floor right now.) > >>> > >>> I find this a little odd. If I go back to O'Reilly books from the > >>> early 90s, there was advice to do all sorts of suspect things in them, > >> > >> Sure. My sense is that the world is a less trustworthy place today, that > >> there are more bad actors out there, and that promoting unsafe practices > >> like this does little good. If practices like this become the norm (and > >> they have), it gets very easy to trick someone (or worse, compromise the > >> server and replace the script with something that does just a little bit > >> extra). Blindly executing code you get from elsewhere as root isn't a > >> great idea. > > > > FTR, you don't usually do this as root, as by default `rustup` > > installs into $HOME. > > You seem to be concentrating on `rustup', which is fine, it's your > preferred example. Huh? Rustup is the context that this came up in: | On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey wrote: | > On 2/27/23 4:01 PM, segaloco wrote: | > The official Rust book lists a blind script grab from a website piped into a shell as their "official" install mechanism. | | Well, I suppose if it's from a trustworthy source... | | (Sorry, my eyes rolled so hard they're bouncing on the floor right now.) > But just because you don't run `sudo sh' when using > `rustup' doesn't mean there aren't a disturbingly large number of > installers -- or whatever -- for which that is the recommended workflow. > > Nor does the fact that `rustup' is a safe example mean that this is a safe > practice in general. I posit that it's a bad idea in general to blindly > run scripts you download from the Internet, and it's especially bad to > do it as root. Depending on how you accept risk, you can choose to do > things about it, but that's often not part of recommendations. I cannot help but point out that this is moving the goalposts somewhat from the specific context that I was responding to. If we're now talking about things in general then I agree with you. > > I'm not sure how this is any less safe than downloading, say, a > > tarball and running the contained `configure` script, except that in > > the latter case one at least has the chance to look at the script > > contents. > > Yeah, but with configure you don't want to. :-). Hah! > In any case, if you want > to, you can have a workflow where you rebuild configure yourself. This is true, but then there's the autotools source stuff that you've got to inspect as well, and on and on. Taken to its logical conclusion, we're reading the source for the package (which, if one has time, isn't necessarily a bad idea). I think in the end, running any software package involves taking a calculated risk in a number of dimensions: there's the obvious correctness and security aspects, but also legal aspects with respect to licensing and patents and so forth. For whatever it's worth, a lot of people have decided that running a script downloaded from some HTTP server somewhere is acceptable to them, provided it's decently well-known and so on. Or perhaps they just cargo-cult it and don't really think about it, which (I think) hews closer to the argument that folks here have been making. > >> Look at the compromises the Python community has been dealing with > >> recently, involving replacing common packages on well-known repository > >> sites with malicious ones. > > > > That seems like an issue that is independent of the delivery mechanism. > > I suppose it's workflow-dependent. If your workflow for python development > involves using open-source components (ctx, pytorch, etc.) you get from > some repository like PyPI, you're going to be susceptible to attacks like > this. Indeed, supply-chain attacks both for software and hardware are something that the industry generally hasn't given due consideration. I think that's (slowly) changing. Hopefully we'll see more risk analysis with respect to this going forward. Maybe the rustup folks will even change; I've put an inquiry out. - Dan C.