From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 30076 invoked from network); 28 Feb 2023 00:30:03 -0000 Received: from minnie.tuhs.org (2600:3c01:e000:146::1) by inbox.vuxu.org with ESMTPUTF8; 28 Feb 2023 00:30:03 -0000 Received: from minnie.tuhs.org (localhost [IPv6:::1]) by minnie.tuhs.org (Postfix) with ESMTP id 13E5C42251; Tue, 28 Feb 2023 10:30:02 +1000 (AEST) Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) by minnie.tuhs.org (Postfix) with ESMTPS id 2CA9742230 for ; Tue, 28 Feb 2023 10:29:56 +1000 (AEST) Received: by mail-lf1-x12f.google.com with SMTP id g17so10993114lfv.4 for ; Mon, 27 Feb 2023 16:29:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2h6wwedWXruNW0KRcb5SgyLg5uJ+iHUI3n7wpCOs++A=; b=NEata82f+O50ks/53NdeShi2gluf3M21EF3igo0EVQf/qKFcU7pWMAN0O1p5+N1exF Zs2TdO8upjp9WIeCFiTLWnAO+a323bKDCcoD6SeRxmacASNbd/E+M4zkVUUBGRKKtz9d u0o2o/pjy9VMq2cZCuTtLIxYWt+4Qo25g0wy3jBazxc7DIhTEQ9z1vxwhgmxVshh8ix0 XyJLtZQECtV5APxkY+pCbnBzGNktVFAaBs2lY8AMrJuiqn8UP9h7z/yclMzZU1Uu1Wfp X1aA9BwIfWOv8+F9k4c8zmH5k/ISO4Mix1JVLDuuWrJ/hSvZikndIAe6UpNOR2+VL13o 01Qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2h6wwedWXruNW0KRcb5SgyLg5uJ+iHUI3n7wpCOs++A=; b=4U+r+irpsarJp1RpmqDj2TF8FiFXyQR9HCDKjDzyHzvqQNyRkw1KuXeVuRbiLGGfMo PrS5yYmT0OEMadRfJDfZaUacRjhcM3G/fw5HRXaC0OHh1H/iNUwUu6q8/vzbZmoQxQvU qWGMAnMp1AllGi5b6IGG5V4SgFgbgsa9GzQihsb8ZphwVfrAiUa3sbEOFL52fP6LGBSq NF3B8cZWv7Avl5n9bmH4oRZ/XixGVKzqsJAU4BmXo76IKUZql/w9AZNI0sjD0bgMrjhD tV82paZ1SoUWA3XCaDnBgUGJan+xsJlQV0kbSUSgg9DQMiunkRPJin/vYiN3nC0IQcYz GV8Q== X-Gm-Message-State: AO0yUKUx92su3Qc7+6GZeKGVFjUx1hn2NEmETCzRlJg8yDz6cZkbBW6Y I9jGB7Wje8PiwctvhdPQXzogT2s4VJhHeyLcWSg= X-Google-Smtp-Source: AK7set/tF09jLfkXFUcmW8c90BEwh2mdQQDDKO+NNJMJZ4yOx9gz48szhuWbk1/OqYNShTmAkb6lBoEac7DYjsyrudI= X-Received: by 2002:ac2:44a8:0:b0:4d5:ca32:7bc3 with SMTP id c8-20020ac244a8000000b004d5ca327bc3mr119817lfm.10.1677544194236; Mon, 27 Feb 2023 16:29:54 -0800 (PST) MIME-Version: 1.0 References: <16241ceb-fe92-7f25-bda0-0b327847728d@case.edu> <735c811e-62ce-5384-b83f-a3887baac89d@case.edu> <5a7aa991-7656-3faf-b34a-d613736716fd@case.edu> <20230227234234.GO12116@mcvoy.com> In-Reply-To: <20230227234234.GO12116@mcvoy.com> From: Dan Cross Date: Mon, 27 Feb 2023 19:29:17 -0500 Message-ID: To: Larry McVoy Content-Type: text/plain; charset="UTF-8" Message-ID-Hash: TWW7BGKSYCDVC6UZ4ZDLXNV4HRQT42OM X-Message-ID-Hash: TWW7BGKSYCDVC6UZ4ZDLXNV4HRQT42OM X-MailFrom: crossd@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: segaloco , COFF X-Mailman-Version: 3.3.6b1 Precedence: list Subject: [COFF] Re: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux] List-Id: Computer Old Farts Forum Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Mon, Feb 27, 2023 at 6:42 PM Larry McVoy wrote: > I think you guys are on the same team but are maybe arguing with each > other more than is needed? Hey, the fine old USENET tradition of being in a state of violent agreement! - Dan C. > On Mon, Feb 27, 2023 at 06:23:32PM -0500, Chet Ramey wrote: > > On 2/27/23 5:01 PM, Dan Cross wrote: > > >On Mon, Feb 27, 2023 at 4:42 PM Chet Ramey wrote: > > >>On 2/27/23 4:22 PM, Dan Cross wrote: > > >>>[COFF] > > >>> > > >>>On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey wrote: > > >>>>On 2/27/23 4:01 PM, segaloco wrote: > > >>>>>The official Rust book lists a blind script grab from a website piped into a shell as their "official" install mechanism. > > >>>> > > >>>>Well, I suppose if it's from a trustworthy source... > > >>>> > > >>>>(Sorry, my eyes rolled so hard they're bouncing on the floor right now.) > > >>> > > >>>I find this a little odd. If I go back to O'Reilly books from the > > >>>early 90s, there was advice to do all sorts of suspect things in them, > > >> > > >>Sure. My sense is that the world is a less trustworthy place today, that > > >>there are more bad actors out there, and that promoting unsafe practices > > >>like this does little good. If practices like this become the norm (and > > >>they have), it gets very easy to trick someone (or worse, compromise the > > >>server and replace the script with something that does just a little bit > > >>extra). Blindly executing code you get from elsewhere as root isn't a > > >>great idea. > > > > > >FTR, you don't usually do this as root, as by default `rustup` > > >installs into $HOME. > > > > You seem to be concentrating on `rustup', which is fine, it's your > > preferred example. But just because you don't run `sudo sh' when using > > `rustup' doesn't mean there aren't a disturbingly large number of > > installers -- or whatever -- for which that is the recommended workflow. > > Nor does the fact that `rustup' is a safe example mean that this is a safe > > practice in general. I posit that it's a bad idea in general to blindly > > run scripts you download from the Internet, and it's especially bad to > > do it as root. Depending on how you accept risk, you can choose to do > > things about it, but that's often not part of recommendations. > > > > >I'm not sure how this is any less safe than downloading, say, a > > >tarball and running the contained `configure` script, except that in > > >the latter case one at least has the chance to look at the script > > >contents. > > > > Yeah, but with configure you don't want to. :-). In any case, if you want > > to, you can have a workflow where you rebuild configure yourself. > > > > > > > >>Look at the compromises the Python community has been dealing with > > >>recently, involving replacing common packages on well-known repository > > >>sites with malicious ones. > > > > > >That seems like an issue that is independent of the delivery mechanism. > > > > I suppose it's workflow-dependent. If your workflow for python development > > involves using open-source components (ctx, pytorch, etc.) you get from > > some repository like PyPI, you're going to be susceptible to attacks like > > this. > > > > > > -- > > ``The lyf so short, the craft so long to lerne.'' - Chaucer > > ``Ars longa, vita brevis'' - Hippocrates > > Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/ > > -- > --- > Larry McVoy Retired to fishing http://www.mcvoy.com/lm/boat