zlacker

[parent] [thread] 5 comments
1. mikeas+(OP)[view] [source] 2018-07-29 02:29:22
The difference is that you can inspect it before you run it if you download it. If you pipe it into bash you don’t know what you’re getting, even if you previously inspected the data provided by that URL.
replies(3): >>static+U >>cjbpri+Z >>trumpe+Mw
2. static+U[view] [source] 2018-07-29 02:48:16
>>mikeas+(OP)
I don't feel the need to review the source code for every install script I run.

I don't read the source code for almost any of the code on my machine today. In most cases where I see `curl | bash`, I'd probably already be screwed even if I review it. Most install scripts and up doing "hit website, install thing" anyways - am I reviewing the second stage install script also?

replies(1): >>mikeas+41
3. cjbpri+Z[view] [source] 2018-07-29 02:48:48
>>mikeas+(OP)
That's a way in which "curl | bash" distributed software is better than .deb/.dmg distributed software, right? Because you have the potential to inspect the script first, if you have some kind of ridiculous confidence in your ability to perform security review of an entire software product in the moments before you decide to install it.

But it's never presented in that way, as a feature. It's presented as a terrible way to distribute software.

replies(1): >>twr+x8
◧◩
4. mikeas+41[view] [source] [discussion] 2018-07-29 02:51:29
>>static+U
That’s fair. It’s probably not an important difference.
◧◩
5. twr+x8[view] [source] [discussion] 2018-07-29 05:42:11
>>cjbpri+Z
It doesn't take ridiculous confidence to analyze shell scripts. In the hundreds of scripts I have read, few were more than 100 lines long. It shouldn't take more than 60 seconds (probably 30 or less) to mentally build a list of all possible operations a short script can perform. Bourne shell scripts don't have much room to hide surprising behavior, and when they do, it immediately stands out. If they are permanently installed, and invoked later by other parts of the system, then they may need more probing, but we're talking about installation scripts.

.deb and .dmg can be easily extracted. The former is just an `ar` archive containing tarballs, which you can (and should) extract to read the install scripts. (.dmg specifics escape me, since I only dealt with them one time, years ago.)

Binary code isn't inscrutable. Some good tools for this are, among many, many more, IDA, Hopper, and radare2. How long this takes depends on what your goals are, how comprehensive you are, and the program complexity. I don't think I've yet spent years on one project, fortunately, but the months-long efforts, for undoing some once-prominent copyright protection systems, were pretty brutal. Smaller programs have taken me just several hours to appropriately examine.

6. trumpe+Mw[view] [source] 2018-07-29 14:11:10
>>mikeas+(OP)
If inspecting a script is a good way to avoid evil software, bugs would not exist.
[go to top]