From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 22586 invoked from network); 27 Feb 2023 23:29:25 -0000 Received: from minnie.tuhs.org (2600:3c01:e000:146::1) by inbox.vuxu.org with ESMTPUTF8; 27 Feb 2023 23:29:25 -0000 Received: from minnie.tuhs.org (localhost [IPv6:::1]) by minnie.tuhs.org (Postfix) with ESMTP id E79074319B; Tue, 28 Feb 2023 09:29:23 +1000 (AEST) Received: from mpv-out-ksl-1.case.edu (mpv-out-ksl-1.CWRU.Edu [129.22.103.228]) by minnie.tuhs.org (Postfix) with ESMTPS id 7CD3542273 for ; Tue, 28 Feb 2023 09:29:15 +1000 (AEST) Received: from mpv-local-ksl-1.CWRU.Edu (EHLO mpv-local-ksl-1.case.edu) ([129.22.103.235]) by mpv-out-ksl-1.case.edu (MOS 4.4.8-GA FastPath queued) with ESMTP id AKO48454; Mon, 27 Feb 2023 18:29:14 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=case.edu; s=smtp-primary; t=1677540554; bh=t3Ulgl/NyfOkcAyinIXzou7t4D2jDNu6SUOyM9qDM2I=; l=2972; h=Message-ID:Date:MIME-Version:Reply-To:Cc:Subject:To:References: From:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=c8YLbL4F6r1P0bGc16GekqsUaJy45ekyRYWFa8Ugk1lsSjZxve2pmIuVw6NhQfzNuJ PGqSdG0GyDJMOi+3oT6v445b7WAAnr4ZAHfqrAiELkHyVb+7ECWwlHyaAC4WPa2MiFH 9fFVBWXQwW2dgsbdMcna2RqmSGLy2SpBAcbr57cK2aHk6UkN2Mq4USUZm7uQTAmOsvZ CP7PML3bZ5IOOnvaarZpMtB1aGWWMuEVlUum5qNs1HoRGXnrji26RSpBI21uzivcQar aQU/oelcHX0rU+LmPDwCuG/bXHltcQpsgHIopjsTyZRsV4fOYqoBzkRcooHqnYkByEQ z+eN8DEg== Received: from mail-qv1-f71.google.com (EHLO mail-qv1-f71.google.com) ([209.85.219.71]) by mpv-local-ksl-1.case.edu (MOS 4.4.8-GA FastPath queued) with ESMTP id BAF58421; Mon, 27 Feb 2023 18:23:36 -0500 (EST) Received: by mail-qv1-f71.google.com with SMTP id pz4-20020ad45504000000b0056f060452adso4157163qvb.6 for ; Mon, 27 Feb 2023 15:23:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=case.edu; s=g-case; h=content-transfer-encoding:in-reply-to:organization:from:references :to:content-language:subject:cc:reply-to:user-agent:mime-version :date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=t3Ulgl/NyfOkcAyinIXzou7t4D2jDNu6SUOyM9qDM2I=; b=GeH1tNlEJ/GxiKreecRD29YHwwntlyKCS1T5XU6Z8/Z8zob3j2NRSdOWTUa7NdVlON 74WCd51FUXmR/oA8mrb82fCJnZ6zr1kNy3cF3tqjFT9MZhF4T+8xhv4OUV9MAymYIOxK 8JX6oddONLlodSUGehh8jSN9lTUsJnl7DkuhfVBEpsQuE9JNvpGrmohiJZApA0uITgid zLU59qaAo2emM5kxLSb2XkqpuOhX/2FX4iFQKB6RzFMkrlwi0gi+PcnoBfBDQbmTfg// hwa95m9HZmly9ISEQrdkibWPLk99DNHmOsQnKPUeDYwjUf2QintT+5ULSkQNAGorvpsR p8xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:organization:from:references :to:content-language:subject:cc:reply-to:user-agent:mime-version :date:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=t3Ulgl/NyfOkcAyinIXzou7t4D2jDNu6SUOyM9qDM2I=; b=b3sPKX2iAl9KfHmaPfAVTL0ZMUy+J7bZGtkThZjt+CcFLiXzNOOM5Ogbv2eUhrKW9d LBKh6WUj8vT+efABbErqerkn+sXEO1inox212rNvhC5zrIV14xtk/QiHU+UBQqJEP+Gb Lr2aAREp37myVSH5UsPF3buA99ZvuDLZCSf/s8QTtelrKngQRTxf9y6t6KvN/xwvxH/k wiHi78woZyl8eWMyBFlOr9o6fz8A5RbKeO4K/MaliaXbqWSlRaDhKaDg7cjsM0WzS4tE K8pmqYELJEAqfrCUaN0+gXwrKqxVVmiIfOenmEu9jlZmuvM3NQUJcCu0SOR66Gqw8IsS 9VIw== X-Gm-Message-State: AO0yUKWJDvzDseQ8KXcpDBVsuIepc8A5sWIcivgyMW5Ib/LKcaTpt6uU maX5s8ORzENyJYE0FGIvrxbgdx3SknKAdNIghPZhvP6yrtq1L4mmv5HQ8TmhWQtmsZ8+0Tm7hn/ wU8xoRK8= X-Received: by 2002:ac8:7c45:0:b0:3bf:a87b:26ed with SMTP id o5-20020ac87c45000000b003bfa87b26edmr1842996qtv.1.1677540215792; Mon, 27 Feb 2023 15:23:35 -0800 (PST) X-Google-Smtp-Source: AK7set8jkcDqGLJFKIpgNCM9W93tLCnPTs18mplYMvLMPAtVtyGAmH0mCM14KJOIPRLkdFJRo7GY5A== X-Received: by 2002:ac8:7c45:0:b0:3bf:a87b:26ed with SMTP id o5-20020ac87c45000000b003bfa87b26edmr1842961qtv.1.1677540215373; Mon, 27 Feb 2023 15:23:35 -0800 (PST) Received: from [192.168.0.112] (cpe-107-10-247-26.neo.res.rr.com. [107.10.247.26]) by smtp.gmail.com with ESMTPSA id 189-20020a3708c6000000b0073b27323c6dsm5674442qki.136.2023.02.27.15.23.33 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 27 Feb 2023 15:23:35 -0800 (PST) Message-ID: Date: Mon, 27 Feb 2023 18:23:32 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Content-Language: en-US To: Dan Cross References: <16241ceb-fe92-7f25-bda0-0b327847728d@case.edu> <735c811e-62ce-5384-b83f-a3887baac89d@case.edu> <5a7aa991-7656-3faf-b34a-d613736716fd@case.edu> From: Chet Ramey Organization: ITS, Case Western Reserve University In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mirapoint-IP-Reputation: reputation=Good-1, source=Queried, refid=tid=0001.0A742F90.63FD303A.0035, actions=tag X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A742F1C.63FD3CC8.000C,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=0.0.0.0, so=2016-11-06 16:00:04, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 15043b1d8c18e06e894b0927b34e80e1 X-Mirapoint-IP-Reputation: reputation=good-1, source=Fixed, refid=n/a, actions=tag X-Junkmail-Status: score=8/90, host=mpv-out-ksl-1.case.edu X-Junkmail-PrAS-Raw: score=8/90, refid=2.7.2:2023.2.27.212730:17:8.707, ip=, rules=__YOUTUBE_RCVD, DKIM_SIGNATURE, __X_GOOGLE_DKIM_SIGNATURE, __X_GM_MESSAGE_STATE, __X_GOOGLE_SMTP_SOURCE, __HAS_MSGID, __SANE_MSGID, __MSGID_HEX_844412, DATE_TZ_NA, __MIME_VERSION, __USER_AGENT, __MOZILLA_USER_AGENT, __HAS_REPLYTO, __HAS_CC_HDR, __MULTIPLE_RCPTS_CC_X2, __CC_NAME, __CC_NAME_DIFF_FROM_ACC, __SUBJ_REPLY, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __TO_MALFORMED_2, __TO_NAME, __TO_NAME_DIFF_FROM_ACC, __TO_GMAIL, __HAS_REFERENCES, __REFERENCES, __HAS_FROM, FROM_EDU_TLD, __IN_REP_TO, __CT, __CT_TEXT_PLAIN, __CTE, CTE_7BIT, __REPLYTO_SAMEAS_FROM_ADDY, __REPLYTO_SAMEAS_FROM_ACC, __FROM_DOMAIN_IN_ANY_CC2, __RCPT_DOMAIN_NOT_TO, __REPLYTO_SAMEAS_FROM_DOMAIN, __DKIM_ALIGNS_1, __DKIM_ALIGNS_2, __FUR_HEADER, __ANY_URI, __URI_MAILTO, __URI_WITH_PATH, __URI_ENDS_IN_SLASH, __URI_NO_WWW, __CP_URI_IN_BODY, __FRAUD_URGENCY, [TRUNCATED], so=2010-03-03 19:42:08, dmn=2016-08-03-0138 Message-ID-Hash: MGR6BRYPYNY6RXQ4FOTT2PMXWQ6UHAIM X-Message-ID-Hash: MGR6BRYPYNY6RXQ4FOTT2PMXWQ6UHAIM X-MailFrom: chet.ramey@case.edu X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: segaloco , COFF X-Mailman-Version: 3.3.6b1 Precedence: list Reply-To: chet.ramey@case.edu Subject: [COFF] Re: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux] List-Id: Computer Old Farts Forum Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 2/27/23 5:01 PM, Dan Cross wrote: > On Mon, Feb 27, 2023 at 4:42 PM Chet Ramey wrote: >> On 2/27/23 4:22 PM, Dan Cross wrote: >>> [COFF] >>> >>> On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey wrote: >>>> On 2/27/23 4:01 PM, segaloco wrote: >>>>> The official Rust book lists a blind script grab from a website piped into a shell as their "official" install mechanism. >>>> >>>> Well, I suppose if it's from a trustworthy source... >>>> >>>> (Sorry, my eyes rolled so hard they're bouncing on the floor right now.) >>> >>> I find this a little odd. If I go back to O'Reilly books from the >>> early 90s, there was advice to do all sorts of suspect things in them, >> >> Sure. My sense is that the world is a less trustworthy place today, that >> there are more bad actors out there, and that promoting unsafe practices >> like this does little good. If practices like this become the norm (and >> they have), it gets very easy to trick someone (or worse, compromise the >> server and replace the script with something that does just a little bit >> extra). Blindly executing code you get from elsewhere as root isn't a >> great idea. > > FTR, you don't usually do this as root, as by default `rustup` > installs into $HOME. You seem to be concentrating on `rustup', which is fine, it's your preferred example. But just because you don't run `sudo sh' when using `rustup' doesn't mean there aren't a disturbingly large number of installers -- or whatever -- for which that is the recommended workflow. Nor does the fact that `rustup' is a safe example mean that this is a safe practice in general. I posit that it's a bad idea in general to blindly run scripts you download from the Internet, and it's especially bad to do it as root. Depending on how you accept risk, you can choose to do things about it, but that's often not part of recommendations. > I'm not sure how this is any less safe than downloading, say, a > tarball and running the contained `configure` script, except that in > the latter case one at least has the chance to look at the script > contents. Yeah, but with configure you don't want to. :-). In any case, if you want to, you can have a workflow where you rebuild configure yourself. > >> Look at the compromises the Python community has been dealing with >> recently, involving replacing common packages on well-known repository >> sites with malicious ones. > > That seems like an issue that is independent of the delivery mechanism. I suppose it's workflow-dependent. If your workflow for python development involves using open-source components (ctx, pytorch, etc.) you get from some repository like PyPI, you're going to be susceptible to attacks like this. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/