A random guy telling the world how to install some new software. An illustration.
@bagder at least itโs not โsudo bashโ?
Not that that makes me feel much better.
@bagder It still feels weird we decided it was okay to just run a bash script off the web without looking at it.
At least if the URL gets compromised it can only affect your own files.
@bagder i want an install.sh for curl which is downloadable with curl.
@bagder people running this kind of software are exactly the kind of people who would run a curl-pipe-bash, so it checks out.
@bagder Being a UNIX (these days, linux because that's the flow) guy ... NVIDIA driver blobs can kiss my skinny white butt. Was over it 20 years ago.
WHy do you hurt yourselves. I have emergency numbers for people that like to cut themselves and I don't actually see a divergence. This scares me. I've been upside down at Mach1+ and jumped out of perfectly good helos
- replies
- 0
- announces
- 0
- likes
- 1
@bagder Can confirm, this is the standard way to install software now.
@bagder Joke's on you: wget -qO- https://curl.se/install-curl.sh | sudo bash
@bagder if curl needs another command-line option, how about something like --run
@bagder The longer I look at this image, the worse it gets.
@bagder they are advanced in cyber cyber security: they have moved the "sudo" bit from the command line into the downloaded script ๐คฆ๐ปโโ๏ธ
@bagder I don't see random guys name on https://curl.se/sponsors.html ๐ค
@bagder as a security engineer I can say: "AaaAaaAaaAaaaah"
My favorite: #AsahiLinux , perhaps the easiest linux installation I've ever done.
@bagder hey thatโs the sunday market guy selling leather jackets to boomers.
@bagder lol. He really says OpenClaw would be more popular than Linux, because it has more GitHub stars than the copy of the Linux repo on GitHub. ๐
"The average user easily obliges and installs an app when a random, suspicious-looking website asks them to. However, they resist installing Element, Signal, and other secure messaging applications after half an hour of their trusted friend or member explaining why it's a good idea to do so!"
Hah, that crossed my feed earlier this morning making it feel all the funnier.
However I've used this technique in the past when a VPS provider didn't let me insert an ISO boot image for my own BSD-install purposes. Used a file-backed md(4)-type device as the disk-image, installed to that, unmounted, rebooted the VPS to rescue mode, then something like
$ gzip -9 < freebsd.img | ssh root@$VPSIP 'gunzip > /dev/sda2'
and it worked like a charm.
And since I was in control of the sending & receiving sides and the link was over ssh, I didn't have any concerns about it.
Downloading untrusted $URL targets though? :shiver:
RE: https://mastodon.social/@bagder/116280705328672025
In 6 months
`curl -fsSL https://www.example.com/totally-legit | sudo claude --dangerously-skip-permissions`
will have completely replaced Ansible.
RT: https://mastodon.social/users/bagder/statuses/116280705328672025
@bagder I shouldn't judge the book on the cover but just seeing his slopified avatar make me nauseous.
@bagder And curl|bash can be detected server side: https://github.com/m4tx/curl-bash-attack
Congratulations, you just installed malware !
@bagder there is "Ssl" in the command so it must be secure no?
...