zlacker

[return to "The Philips Hue ecosystem is collapsing"]
1. karlsh+h3[view] [source] 2023-09-26 23:41:16
>>pictur+(OP)
> Javascript plus a "curl | sudo sh" attitude to life equals "yeah no, I am never touching this thing".

I get why there are people that don’t like how some installers do this, but this trope is really turning into the “but I don’t even own a TV” of OSS commentary.

Just use the Docker image if you don’t like it. Or get their appliance which actually supports ongoing development.

◧◩
2. bryanc+a4[view] [source] 2023-09-26 23:47:41
>>karlsh+h3
Also, no one’s forcing you to pipe curl into sudo sh. I don’t think a software project listing this as an installation method is that big of a red flag to be honest.
◧◩◪
3. jrockw+k8[view] [source] 2023-09-27 00:10:32
>>bryanc+a4
Why is "sudo" emphasized so heavily, anyway? Running as your ordinary user, that shell script can send someone your session cookies, authenticate with your SSH agent, and really anything that you can do. Sure, maybe not running as root protects the integrity of the OS and prevents some persistent keylogging attacks, but honestly... you don't need a keylogger when you just grab the cookies, or install your own binaries farther up in the path (good old ~/.local/bin/firefox instead of /usr/bin/firefox).

Frankly, being anything other than super paranoid is almost a little reckless.

Also, shit-talking Home Assistant is a pretty weird take. I wouldn't write it in Python configured half in YAML and half in SQLite either, but ... not having to write it myself was the fun part.

◧◩◪◨
4. bombca+da[view] [source] 2023-09-27 00:20:52
>>jrockw+k8
This is basically https://xkcd.com/1200/

Anyone who really complains about curl | sudo is just doing it for nerd points, because I guarantee you they happily install all sorts of other software without "vetting" it.

And if someone caught someone doing trickery it'd be big news.

◧◩◪◨⬒
5. spider+Qk[view] [source] 2023-09-27 01:29:35
>>bombca+da
There are those of us who are security minded and will in fact download the script and check the sha1/sha256 and review the script before running it. Any time I see this curl sudo thing is when there's always another (manual) option. The shell scripts themselves aren't so complex that you can't figure out what they're doing, they're normally fairly straightforward, unless they were generated by some tool, or are in fact malware, so you can see if something looks funky before you run it. Sure, there can be a malware that makes it so you can't tell, but normally not.
◧◩◪◨⬒⬓
6. bombca+aB[view] [source] 2023-09-27 03:19:58
>>spider+Qk
It's all a web of trust.

If I don't trust the website to do curl | sudo bash then why do I trust the software that I would eventually install?

Even the old argument of "middleware devices modified the script en-route" is mostly removed by HTTPS everywhere.

And there are people like you who actually look at the script (and the compiled code, too!) to find things, because if they do find something in a script as big as HomeAssitant, they'll be famous.

[go to top]