From: Dan Cross <crossd@gmail.com>
To: Larry McVoy <lm@mcvoy.com>
Cc: segaloco <segaloco@protonmail.com>, COFF <coff@tuhs.org>
Subject: [COFF] Re: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux]
Date: Mon, 27 Feb 2023 19:29:17 -0500 [thread overview]
Message-ID: <CAEoi9W6T5Q5AwmFj7J2g-nQ-csRvfpzHszG6FW2kQD+AeWK5kA@mail.gmail.com> (raw)
In-Reply-To: <20230227234234.GO12116@mcvoy.com>
On Mon, Feb 27, 2023 at 6:42 PM Larry McVoy <lm@mcvoy.com> wrote:
> I think you guys are on the same team but are maybe arguing with each
> other more than is needed?
Hey, the fine old USENET tradition of being in a state of violent agreement!
- Dan C.
> On Mon, Feb 27, 2023 at 06:23:32PM -0500, Chet Ramey wrote:
> > On 2/27/23 5:01 PM, Dan Cross wrote:
> > >On Mon, Feb 27, 2023 at 4:42 PM Chet Ramey <chet.ramey@case.edu> wrote:
> > >>On 2/27/23 4:22 PM, Dan Cross wrote:
> > >>>[COFF]
> > >>>
> > >>>On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey <chet.ramey@case.edu> wrote:
> > >>>>On 2/27/23 4:01 PM, segaloco wrote:
> > >>>>>The official Rust book lists a blind script grab from a website piped into a shell as their "official" install mechanism.
> > >>>>
> > >>>>Well, I suppose if it's from a trustworthy source...
> > >>>>
> > >>>>(Sorry, my eyes rolled so hard they're bouncing on the floor right now.)
> > >>>
> > >>>I find this a little odd. If I go back to O'Reilly books from the
> > >>>early 90s, there was advice to do all sorts of suspect things in them,
> > >>
> > >>Sure. My sense is that the world is a less trustworthy place today, that
> > >>there are more bad actors out there, and that promoting unsafe practices
> > >>like this does little good. If practices like this become the norm (and
> > >>they have), it gets very easy to trick someone (or worse, compromise the
> > >>server and replace the script with something that does just a little bit
> > >>extra). Blindly executing code you get from elsewhere as root isn't a
> > >>great idea.
> > >
> > >FTR, you don't usually do this as root, as by default `rustup`
> > >installs into $HOME.
> >
> > You seem to be concentrating on `rustup', which is fine, it's your
> > preferred example. But just because you don't run `sudo sh' when using
> > `rustup' doesn't mean there aren't a disturbingly large number of
> > installers -- or whatever -- for which that is the recommended workflow.
> > Nor does the fact that `rustup' is a safe example mean that this is a safe
> > practice in general. I posit that it's a bad idea in general to blindly
> > run scripts you download from the Internet, and it's especially bad to
> > do it as root. Depending on how you accept risk, you can choose to do
> > things about it, but that's often not part of recommendations.
> >
> > >I'm not sure how this is any less safe than downloading, say, a
> > >tarball and running the contained `configure` script, except that in
> > >the latter case one at least has the chance to look at the script
> > >contents.
> >
> > Yeah, but with configure you don't want to. :-). In any case, if you want
> > to, you can have a workflow where you rebuild configure yourself.
> >
> > >
> > >>Look at the compromises the Python community has been dealing with
> > >>recently, involving replacing common packages on well-known repository
> > >>sites with malicious ones.
> > >
> > >That seems like an issue that is independent of the delivery mechanism.
> >
> > I suppose it's workflow-dependent. If your workflow for python development
> > involves using open-source components (ctx, pytorch, etc.) you get from
> > some repository like PyPI, you're going to be susceptible to attacks like
> > this.
> >
> >
> > --
> > ``The lyf so short, the craft so long to lerne.'' - Chaucer
> > ``Ars longa, vita brevis'' - Hippocrates
> > Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/
>
> --
> ---
> Larry McVoy Retired to fishing http://www.mcvoy.com/lm/boat
next prev parent reply other threads:[~2023-02-28 0:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <16241ceb-fe92-7f25-bda0-0b327847728d@case.edu>
[not found] ` <B7F6403D-E276-490B-AB11-835141F31339@iitbombay.org>
[not found] ` <vNaSB1ygm5HY-rV-WScmTmerF0acmZicvrUsW4kpDQ-n0-rpXSNQTh9V6mMHVLEbH6cjpXIQrHM8U4Oc4e6vzzA1sGF2eM9lxXqUbEn2bfc=@protonmail.com>
[not found] ` <735c811e-62ce-5384-b83f-a3887baac89d@case.edu>
2023-02-27 21:22 ` Dan Cross
2023-02-27 21:42 ` Chet Ramey
2023-02-27 22:01 ` Dan Cross
2023-02-27 23:23 ` Chet Ramey
2023-02-27 23:42 ` Larry McVoy
2023-02-28 0:29 ` Dan Cross [this message]
2023-02-28 0:28 ` Dan Cross
2023-02-28 14:53 ` Chet Ramey
2023-02-28 15:25 ` Dan Cross
2023-02-28 16:03 ` Chet Ramey
[not found] ` <8A7D978F-88A0-491D-90A3-A1CE843B3698@me.com>
2023-02-27 22:07 ` [COFF] Re: [TUHS] " Dan Cross
[not found] ` <CAJXSPs-1-3wrt_suJ9S3u0z_E6qAEpUUZ1Zk2oANXF6NQL9tDg@mail.gmail.com>
2023-02-27 22:17 ` [COFF] Re: [TUHS] " Dan Cross
2023-02-27 23:20 ` Stuff Received
[not found] <58626A0B-EF9C-4920-8E20-CE0C4210BA6A@planet.nl>
[not found] ` <Y/rGop0y22X9Dcxd@mit.edu>
[not found] ` <A3308FD9-F130-48BA-903A-4F7AA6CF2CC3@planet.nl>
[not found] ` <202302272004.31RK4aGG001510@freefriends.org>
[not found] ` <2f6faeb4-5e73-cf18-b0ff-edc3e1658f72@case.edu>
[not found] ` <202302272022.31RKMG2L004091@freefriends.org>
[not found] ` <CqEehkxsT6R2Pn65gn4t2uSN_AvnhjMP8HQDdZDPazLs9B4gZQ3R7BCd0Ko4EzbTwIm3n9FfTuaf1xBZKeEmwPoTutaIFv9juCO_3HoG5vg=@protonmail.com>
2023-02-27 21:04 ` Dan Cross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEoi9W6T5Q5AwmFj7J2g-nQ-csRvfpzHszG6FW2kQD+AeWK5kA@mail.gmail.com \
--to=crossd@gmail.com \
--cc=coff@tuhs.org \
--cc=lm@mcvoy.com \
--cc=segaloco@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).