From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 11798 invoked from network); 27 Feb 2023 22:02:08 -0000 Received: from minnie.tuhs.org (2600:3c01:e000:146::1) by inbox.vuxu.org with ESMTPUTF8; 27 Feb 2023 22:02:08 -0000 Received: from minnie.tuhs.org (localhost [IPv6:::1]) by minnie.tuhs.org (Postfix) with ESMTP id C9976432DA; Tue, 28 Feb 2023 08:02:06 +1000 (AEST) Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) by minnie.tuhs.org (Postfix) with ESMTPS id C1092432D9 for ; Tue, 28 Feb 2023 08:02:02 +1000 (AEST) Received: by mail-lj1-x22a.google.com with SMTP id t14so8062659ljd.5 for ; Mon, 27 Feb 2023 14:02:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Al+9bclkLJ+yMTVkHO+pfNN0KE1OBmGynJLxY3K9SVw=; b=K7IvxEwPdHecmiDEaLDrrVmH285fFbEi+eD0aHkAlwf/2hh/OxerM72Zlgl8aDnwSD pReCNEjdQm1lOjW+Cy2WDvGRBFi6OlblTAbyF2QR3ZUpIsjVvWlE4fvOEO5fnMYWTxsg LrFEETEzX73HITpLNqD6yJpeb34LGXtJQJuLtMkFT3bPKFLAf48pE8+I8aFoBAfQ6KSR ddMnEwHm3/Gbb0ok6wMn11n+wJ87dtCYIRqRRiDeVcrKItM3uhJFuJhfZ3rG2C7mz1A8 TLcf/j9v3UmNMHeBbSJnIzQyT+Cj87VcVkTty8On5jg0dBM+apIV6LZ5A1LqEXtvrOzN vZ9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Al+9bclkLJ+yMTVkHO+pfNN0KE1OBmGynJLxY3K9SVw=; b=a2YJ8PB1pcrayIx91Fqu+JyFUWhmvtxKYyXDv2BV2HwAI5hh//WU97tkIRkgZdh0eh gcn/VkGnWcG1BA5bvagK/c4bXyH8rZ8KyIZfZm6dK2yme7j21lByYl/QpS2Tmnd0HdmJ K2/jVhxKFOCglZg5OaAUrj5KTz0988CvbKRPLUvaULnyrdab8bryg3xC4mKmqczn4pc1 KDizrNc2ULBC1kkY3Vkpmbe3X/hz9uRnB1YAhSxIXWhWuvjm8YK/gKBfj9ZpzCZKhdzZ 4r//horfNbuJT98EJ55SKMxj4pQfScIwhHmRP053mbJdcnmcpBwNaB6jd/LqI87ln1XB mOAA== X-Gm-Message-State: AO0yUKVAPg+86z2l7iiyfIn7YqpXO3K0lvlztQDukF/8nKRtjuMeNFrU G+ySWg1llQzOIhHpfAuaFRJE3ct7OkDol2jZulI= X-Google-Smtp-Source: AK7set9ALpZuVAYQWI7uY62lHvjZFXOoJfMyKKjR/x1rVEzjZrLQPjJO5dyKruU8kwkRUhyNxhqH0XnVA/h0VLrUcvw= X-Received: by 2002:a2e:58c:0:b0:295:944c:f335 with SMTP id 134-20020a2e058c000000b00295944cf335mr89202ljf.1.1677535320011; Mon, 27 Feb 2023 14:02:00 -0800 (PST) MIME-Version: 1.0 References: <16241ceb-fe92-7f25-bda0-0b327847728d@case.edu> <735c811e-62ce-5384-b83f-a3887baac89d@case.edu> <5a7aa991-7656-3faf-b34a-d613736716fd@case.edu> In-Reply-To: <5a7aa991-7656-3faf-b34a-d613736716fd@case.edu> From: Dan Cross Date: Mon, 27 Feb 2023 17:01:23 -0500 Message-ID: To: chet.ramey@case.edu Content-Type: text/plain; charset="UTF-8" Message-ID-Hash: QX44XX2BUAD7XDPR7BPDXA4YQRW4DIXV X-Message-ID-Hash: QX44XX2BUAD7XDPR7BPDXA4YQRW4DIXV X-MailFrom: crossd@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: segaloco , COFF X-Mailman-Version: 3.3.6b1 Precedence: list Subject: [COFF] Re: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux] List-Id: Computer Old Farts Forum Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Mon, Feb 27, 2023 at 4:42 PM Chet Ramey wrote: > On 2/27/23 4:22 PM, Dan Cross wrote: > > [COFF] > > > > On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey wrote: > >> On 2/27/23 4:01 PM, segaloco wrote: > >>> The official Rust book lists a blind script grab from a website piped into a shell as their "official" install mechanism. > >> > >> Well, I suppose if it's from a trustworthy source... > >> > >> (Sorry, my eyes rolled so hard they're bouncing on the floor right now.) > > > > I find this a little odd. If I go back to O'Reilly books from the > > early 90s, there was advice to do all sorts of suspect things in them, > > Sure. My sense is that the world is a less trustworthy place today, that > there are more bad actors out there, and that promoting unsafe practices > like this does little good. If practices like this become the norm (and > they have), it gets very easy to trick someone (or worse, compromise the > server and replace the script with something that does just a little bit > extra). Blindly executing code you get from elsewhere as root isn't a > great idea. FTR, you don't usually do this as root, as by default `rustup` installs into $HOME. I'm not sure how this is any less safe than downloading, say, a tarball and running the contained `configure` script, except that in the latter case one at least has the chance to look at the script contents. > Look at the compromises the Python community has been dealing with > recently, involving replacing common packages on well-known repository > sites with malicious ones. That seems like an issue that is independent of the delivery mechanism. FWIW, when my old team brought the Rust toolchain into Google, we investigated this issue at length. Another team (Android security, I believe) had used `mrustc`, which is a Rust compiler written in C++, to bootstrap the "real" Rust compiler from source. We then downloaded and vendored each dependent crate (Rust library) that we needed, with an auditing step. So it's entirely possible to work with Rust without ever using `rustup`. - Dan C.