lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20221014052756.GA21730@1wt.eu>
Date:   Fri, 14 Oct 2022 07:27:56 +0200
From:   Willy Tarreau <w@....eu>
To:     David Laight <David.Laight@...LAB.COM>
Cc:     "Jason A. Donenfeld" <Jason@...c4.com>,
        Mark Brown <broonie@...nel.org>,
        "linux-toolchains@...r.kernel.org" <linux-toolchains@...r.kernel.org>,
        Linux Kbuild mailing list <linux-kbuild@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: gcc 5 & 6 & others already out of date?

On Fri, Oct 14, 2022 at 04:28:10AM +0000, David Laight wrote:
> From: Willy Tarreau
> > Sent: 13 October 2022 17:18
> ...
> > That's also the model where people routinely do:
> > 
> >     $ curl github.com/blah | sudo sh
> 
> Anyone doing that wants their head examined....

Most of the time they have no clue what they're doing, they just
copy-paste installation instructions. You find hundreds of projects
documenting this as the installation procedure, often in the nodejs
world it seems, and the fist complaint in general is not that it's a
bad practise but that it doesn't work on Mac! Random examples from
google's first page:

   https://gist.github.com/btm/6700524
   https://github.com/rclone/rclone/issues/3922
   https://gist.github.com/andrepg/71a15e915846acd41370e275eadb0478
   https://github.com/shellspec/shellspec/blob/master/install.sh

This one looks like a trap, it searches from local vulnerabilities
and suggests to be installed like this:

   https://github.com/carlospolop/PEASS-ng/blob/master/linPEAS/README.md

> I'm not sure I'd trust any source of files enough for that.

That's for a targetted audience.

> Maybe some things get run as root, and maybe they might
> do nasty things, but running random downloaded scripts
> is as bad as clicking on links in outlook.

Yes, or even despite a full end-to-end trust you still have the risk of
a truncated script, which you'd rather not face during rm -rf /tmp/blah.

Anyway we're getting out of topic here.

Willy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ