daniel:// stenberg://1d ago
A random guy telling the world how to install some new software. An illustration.
Show threadFranklin Delano Stallone1d ago

@bagder It still feels weird we decided it was okay to just run a bash script off the web without looking at it.

At least if the URL gets compromised it can only affect your own files.

Show thread⁂ Fish Id Wardrobe1d ago
@fds @bagder not convinced it's any worse than downloading a tarball, unpacking it, and running the install script inside it locally
Show threadMartin Uecker1d ago
@fishidwardrobe @fds @bagder It is worse, as it might leave no trace. But regular users should do neither.
Show thread⁂ Fish Id Wardrobe
@uecker @fds @bagder what should they do, then? avoid running any programs they download?
Mar 24 at 5:54amWeb
Show threadMartin Uecker1d ago
@fishidwardrobe @fds @bagder Download programs from a trusted repository using a package manager.
Show thread⁂ Fish Id Wardrobe1d ago
@uecker @fds @bagder i'm sure the folks running your distro have checked every package themselves, so, sure.
Show threadMartin Uecker1d ago
@fishidwardrobe @fds @bagder It dramatically reduces the risk because of various checks being done. The XY utils backdoor was found by a debian developer. But there is also another benefit: if there is a compromise, it can be traced reliably.