this post was submitted on 19 Feb 2025
286 points (92.1% liked)

Mildly Infuriating

36809 readers
1413 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.

Rules:

1. Be Respectful

Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...

2. No Illegal Content

Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...

3. No Spam

Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...

4. No Porn/ExplicitContent

-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...

5. No Enciting Harassment,Brigading, Doxxing or Witch Hunts

-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...

6. NSFW should be behind NSFW tags.

-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...

7. Content should match the theme of this community.

-Content should be Mildly infuriating.

-The Community !actuallyinfuriating has been born so that's where you should post the big stuff.

...

8. Reposting of Reddit content is permitted, try to credit the OC.

-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

...

Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense

Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 2 years ago
MODERATORS
LillianVS@lemmy.world
STRIKINGdebate2@lemmy.world
Tenthrow@lemmy.world
286
When software devs expect you to pipe a script straight from the internet into Bash... (dubvee.org)
submitted 2 days ago* (last edited 2 days ago) by ptz@dubvee.org to c/mildlyinfuriating@lemmy.world
83 comments fedilink hide all child comments
 

Developers: I will never ever do that, no one should ever do that, and you should be ashamed for guiding people to. I get that you want to make things easy for end users, but at least exercise some bare minimum common sense.

The worst part is that bun is just a single binary, so the install script is bloody pointless.

Bonus mildly infuriating is the mere existence of the .sh TLD.

Edit b/c I'm not going to answer the same goddamned questions 100 times from people who blindly copy/paste the question from StackOverflow into their code/terminal:

WhY iS ThaT woRSe thAn jUst DoWnlOADing a BinAary???

  1. Downloading the compiled binary from the release page (if you don't want to build yourself) has been a way to acquire software since shortly after the dawn of time. You already know what you're getting yourself into
  2. There are SHA256 checksums of each binary file available in each release on Github. You can confirm the binary was not tampered with by comparing a locally computed checksum to the value in the release's checksums file.
  3. Binaries can also be signed (not that signing keys have never leaked, but it's still one step in the chain of trust)
  4. The install script they're telling you to pipe is not hosted on Github. A misconfigured / compromised server can allow a bad actor to tamper with the install script that gets piped directly into your shell. The domain could also lapse and be re-registered by a bad actor to point to a malicious script. Really, there's lots of things that can go wrong with that.

The point is that it is bad practice to just pipe a script to be directly executed in your shell. Developers should not normalize that bad practice.

you are viewing a single comment's thread
view the rest of the comments
[–] needanke@feddit.org 26 points 2 days ago* (last edited 2 days ago) (12 children)

Would you prefere

$ curl xyz
$ chmod +x xyz
$ ./xyz

?

[–] ptz@dubvee.org 6 points 2 days ago (9 children)

I mean, how about:

  1. Download the release for your arch from the releases page.
  2. Extract to ~/.local/bin
  3. Run
[–] masto@lemmy.masto.community 18 points 2 days ago (1 children)

I think you missed the point.

Why is that safer/better? That binary can do anything a shell script can, and it’s a lot harder to inspect.

[–] ptz@dubvee.org 2 points 2 days ago* (last edited 2 days ago) (1 children)
  1. That's been the way to acquire software since shortly after the dawn of time. You already know what you're getting yourself into.
  2. There are SHA256 checksums of each binary file available in each release on Github. You can confirm the binary was not tampered with by comparing a locally computed checksum to the value in the release's checksums file.
  3. Binaries can also be signed (not that signing keys have never leaked, but it's still one step in the chain of trust)
  4. The install script is not hosted on Github. A misconfigured / compromised server can allow a bad actor to tamper with the install script that gets piped directly into your shell. The domain could also lapse and be re-registered by a bad actor to point to a malicious script. Really, there's lots of things that can go wrong with that.

The point is that it is bad practice to just pipe a script to be directly executed in your shell. Developers should not normalize that bad practice

[–] uranibaba@lemmy.world 9 points 2 days ago (2 children)

If you trust them enough to use their binary, why don't you trust them enough to run their install scripts as well?

[–] moonpiedumplings@programming.dev 5 points 2 days ago* (last edited 2 days ago)

Trust and security aren't just about protecting from malice, but also mistakes.

For example, AUR packages are basically install scripts, and there have been a few that have done crazy things like delete a users /bin — not out of any malice, but rather simple human error.

Binaries are going to be much, much less prone to these mistakes because they are in languages the creators have more experience with, and are comfortable in. Just because I trust someone to write code that runs on my computer, doesn't mean I trust them to write an install script, especially given how many footguns bash has.

Steam once deleted someone's home directory.

[–] jatone@lemmy.dbzer0.com 5 points 2 days ago (1 children)

How do you know the script hasnt been compromised? Is every user competent enough to evaluate it to ensure its safe to run?

Using package managers to handle this provides a couple things: First: most package manager have builtin mechanisms to ensure the binary is unmodified Second: they provide a third party validating them.

[–] uranibaba@lemmy.world 4 points 2 days ago (1 children)

How do you know the script hasnt been compromised?

You don't, same as you don't know if the binary has been compromised, just like when a npm package deleted files for russian users. I get that running scripts from the internet without looking at them first to understand what they do is not secure, but downloading and running anything from the internet is coupled with some amount of risk. How do you know that you won't be mining crypto currency in addition to the original purpose of the binary? You don't unless you read the source code.

It all comes down to if you trust the provider or not. Personally, if I trust them enough to run binary files on my computer, I trust them enough to use their scripts for installation. I don't agree that something is more unsafe just because it is a script.

package manager

Not everything is provided with a package manager, and not everything is up to update with the OS provided package manager. I agree that one should ideally use a package manager with third party validation if that is an option.

[–] jatone@lemmy.dbzer0.com 0 points 2 days ago (1 children)
  1. no one is talking about NPM libraries. we're talking about released packages.
  2. you absolutely can ensure a binary hasnt been tampered with. its called checksumming.
  3. you're confusing MITM attacks with supply chain attacks. MITM attacks are far easier to pull off.

Not everything is provided with a package manager

Yes. thats precisely the problem we're pointing out to you. if you're going to provide software over the internet provide a proper package with checksum validation. its not hard, stop providing bash scripts.

[–] uranibaba@lemmy.world 2 points 2 days ago (1 children)

no one is talking about NPM libraries. we’re talking about released packages. you absolutely can ensure a binary hasnt been tampered with. its called checksumming.

I just took NPM as an example of code that was trusted doing shady things. And I know what checksums are and how they work. What I meant is that the developer providing you with the checksum has put in malicious code in the binary. You don't know. (I don't think that is very likley but it all boils down to trust.)

you’re confusing MITM attacks with supply chain attacks. MITM attacks are far easier to pull off.

No, I don't think I am?

Yes. thats precisely the problem we’re pointing out to you.

And I am saying that it is not that big of a problem.

[–] jatone@lemmy.dbzer0.com 0 points 1 day ago* (last edited 1 day ago)

we all know what you meant. you're just incorrect, your conflating multiple different types of attacks and asserting the one that is easiest to resolve is an equivalent problem. shrug

  1. if the developer of the application is writing malware, its malware end of story. its usually discovered rapidly and people avoid it.
  2. supply chain attacks are harder to achieve (i.e. uploading a tainted binary to a software repository)
  3. curling a shell script is pretty much the easiest target. you have a bunch of randomly setup servers serving a program that literally intended to install software on systems. You now have a large surface area random from typo attacks, to dns poisoning etc.

many devs i've encountered in the wild (FANG/startups/randomly) can barely sort a list without causing problems. so now we have people hosting multiple servers they probably didn't configure correctly. meaning instead of a few centralized repositories we need to secure we now have to trust these individual people have enough technical know how to safely host such a setup.

thats the problem with these setups. its not the developer being a bad actor we're worried about, its the systems they've setup to serve these scripts. with checksums and side channels its easy to validate the resulting binary. which can effectively nips any issues with a compromised repository.

load more comments (7 replies)
load more comments (9 replies)