this post was submitted on 21 May 2024
204 points (96.4% liked)
Programming
22274 readers
332 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I would encourage you to read up on the issue before thinking they haven't.
Here is the most sophisticated exploit: Detecting the use of "curl | bash" server side.
It is also terrible conditioning to pipe stuff to bash because it's the equivalent of "just execute this
.exe, bro". Sure, right now it's github, but there are other curl|bash installs that happen on other websites.Additionally a tar allows one to install a program later with no network access to allow reproducible builds. curl|bash is not repoducible.
Anti Commercial-AI license
But..."just execute this
.exe, bro" is generally the alternative to pipe-to-Bash. Have you personally compiled the majority of software running on your devices?No, it was compiled by the team which maintains my distro's package repository, and cryptographically verified to have come from them by my package manager. That's a lot different than downloading some random executables I pulled from a website I'd never heard of before and immediately running them as root.
Everything you've ever needed was available in your distro's package manager?