zlacker

[return to "The Philips Hue ecosystem is collapsing"]
1. karlsh+h3[view] [source] 2023-09-26 23:41:16
>>pictur+(OP)
> Javascript plus a "curl | sudo sh" attitude to life equals "yeah no, I am never touching this thing".

I get why there are people that don’t like how some installers do this, but this trope is really turning into the “but I don’t even own a TV” of OSS commentary.

Just use the Docker image if you don’t like it. Or get their appliance which actually supports ongoing development.

◧◩
2. Waterl+J4[view] [source] 2023-09-26 23:51:18
>>karlsh+h3
Surely these are the same kinds of people who will carefully review all scripts before running them, right?
◧◩◪
3. tzs+db[view] [source] 2023-09-27 00:26:30
>>Waterl+J4
Even if you don't review it before running it, after

  $ curl https://whatever/foo.sh > foo.sh
  $ sh foo.sh
if something goes terribly wrong you can examine foo.sh to try to figure out what happened and how to fix it. Even if foo.sh managed to delete itself you can just grab it again.

After

  $ curl https://whatever/foo.sh | sh
if something goes wrong and you then try

  $ curl https://whatever/foo.sh > foo.sh
to get a copy of the script to examine a malicious server can tell that you aren't piping to a shell [1] and give a non-malicious script.

Since it takes an insignificant amount of effort to defend against this why not get in the habit of doing it?

[1] >>17636032

[go to top]