zlacker

>>pictur+(OP)
> Javascript plus a "curl | sudo sh" attitude to life equals "yeah no, I am never touching this thing".

I get why there are people that don’t like how some installers do this, but this trope is really turning into the “but I don’t even own a TV” of OSS commentary.

Just use the Docker image if you don’t like it. Or get their appliance which actually supports ongoing development.

>>karlsh+h3
Also, no one’s forcing you to pipe curl into sudo sh. I don’t think a software project listing this as an installation method is that big of a red flag to be honest.

>>bryanc+a4
Why is "sudo" emphasized so heavily, anyway? Running as your ordinary user, that shell script can send someone your session cookies, authenticate with your SSH agent, and really anything that you can do. Sure, maybe not running as root protects the integrity of the OS and prevents some persistent keylogging attacks, but honestly... you don't need a keylogger when you just grab the cookies, or install your own binaries farther up in the path (good old ~/.local/bin/firefox instead of /usr/bin/firefox).

Frankly, being anything other than super paranoid is almost a little reckless.

Also, shit-talking Home Assistant is a pretty weird take. I wouldn't write it in Python configured half in YAML and half in SQLite either, but ... not having to write it myself was the fun part.

>>jrockw+k8
I don't use any of this home automation junk, but this kind of begs the question - why would such an app need root access to your devices in the first place?

>>noduer+va
To allow a web server to bind to port 80 is the only thing that really comes to mind.

>>bryanc+rc
Yeah, that's a conceivable use case for a dedicated box, I guess. But why would that be necessary (or desirable?) Seems like opening port 80 would be the last thing you'd want a home appliance to do... lol

>>noduer+nG
80 is desirable because it’s the default port of web browsers and means you can just visit the DNS or up address & not have to remember to tack on some arbitrary port number. Or use some sort of proxy if setup.

And there’s nothing wrong with using port 80 security wise. Binding a port doesn’t mean you’re opening it on the firewall for the world to see. Plus if you’re opening some port on the firewall, what port you use doesn’t matter - it’ll be scanned by an automated scanner shortly regardless of port.

>>somehn+xF1
The downsides of choosing port 80 for your all-important lightbulb dimmer switch telemetry are that:

1. browsers don't even attempt encryption,

2. the port could be open to the world, and

3. lots of people are already running more meaningful shit on port 80.

Seriously, you want to sell me a lightbulb that needs root access and then opens an unencrypted port and then makes outbound calls...? Are you nuts? That's beyond lazy design. It's almost like an intentional insult.

[edit] If you set up a home service on your local network, surely you can also bookmark the obscure port number next to the 128/ address in front of it. The only purpose served by turning your light bulbs into a beacon from hell on port 80 would be letting strangers totally penetrate your house. What happens if you start up a webserver? Do the lights go off?

What kind of schmuck does this to his house??