zlacker

[parent] [thread] 5 comments
1. bombca+(OP)[view] [source] 2023-09-27 00:20:52
This is basically https://xkcd.com/1200/

Anyone who really complains about curl | sudo is just doing it for nerd points, because I guarantee you they happily install all sorts of other software without "vetting" it.

And if someone caught someone doing trickery it'd be big news.

replies(2): >>tmpX7d+n1 >>spider+Da
2. tmpX7d+n1[view] [source] 2023-09-27 00:29:31
>>bombca+(OP)
Yup. It’s very “fake nerd” energy.
replies(1): >>nvy+e3
◧◩
3. nvy+e3[view] [source] [discussion] 2023-09-27 00:41:07
>>tmpX7d+n1
Rachel isn't a fake nerd though
replies(1): >>bombca+55
◧◩◪
4. bombca+55[view] [source] [discussion] 2023-09-27 00:53:25
>>nvy+e3
Someone can be "real" and still have bugaboos that are just not really worth it.
5. spider+Da[view] [source] 2023-09-27 01:29:35
>>bombca+(OP)
There are those of us who are security minded and will in fact download the script and check the sha1/sha256 and review the script before running it. Any time I see this curl sudo thing is when there's always another (manual) option. The shell scripts themselves aren't so complex that you can't figure out what they're doing, they're normally fairly straightforward, unless they were generated by some tool, or are in fact malware, so you can see if something looks funky before you run it. Sure, there can be a malware that makes it so you can't tell, but normally not.
replies(1): >>bombca+Xq
◧◩
6. bombca+Xq[view] [source] [discussion] 2023-09-27 03:19:58
>>spider+Da
It's all a web of trust.

If I don't trust the website to do curl | sudo bash then why do I trust the software that I would eventually install?

Even the old argument of "middleware devices modified the script en-route" is mostly removed by HTTPS everywhere.

And there are people like you who actually look at the script (and the compiled code, too!) to find things, because if they do find something in a script as big as HomeAssitant, they'll be famous.

[go to top]