zlacker

[return to "The Philips Hue ecosystem is collapsing"]
1. karlsh+h3[view] [source] 2023-09-26 23:41:16
>>pictur+(OP)
> Javascript plus a "curl | sudo sh" attitude to life equals "yeah no, I am never touching this thing".

I get why there are people that don’t like how some installers do this, but this trope is really turning into the “but I don’t even own a TV” of OSS commentary.

Just use the Docker image if you don’t like it. Or get their appliance which actually supports ongoing development.

◧◩
2. bryanc+a4[view] [source] 2023-09-26 23:47:41
>>karlsh+h3
Also, no one’s forcing you to pipe curl into sudo sh. I don’t think a software project listing this as an installation method is that big of a red flag to be honest.
◧◩◪
3. hk1337+Z5[view] [source] 2023-09-26 23:57:18
>>bryanc+a4
Yeah, you could always just curl it first and see what it’s going to do.
◧◩◪◨
4. posnet+U6[view] [source] 2023-09-27 00:02:35
>>hk1337+Z5
It can be detected if your adversaries are clever enough: https://lukespademan.com/blog/the-dangers-of-curlbash/
◧◩◪◨⬒
5. post-+we[view] [source] 2023-09-27 00:47:39
>>posnet+U6
Tbh, I’m put on more on alert by the spelling errors in the linked post than I am by the ostensible threat of a server timing my requests in order to serve malware.

It’s good practice to check anything that you’ll pipe to `sudo`, but this article’s level of paranoia is kind of self-defeating, no?

At some point, we all trust the things we run on our machines. We rely on communities — and our participation in them — to vet installations.

There is no perfect solution. Someone will always be misled.

[go to top]