(github.com)

486 points ethanpil | 1 comments | 25 Jun 25 00:07 UTC | HN request time: 0.195s | source

Show context

ocdtrekkie ◴[25 Jun 25 01:38 UTC] No.44372923[source]▶

It'd be nice if they didn't recommend winget for installation though. winget is an egregious security risk that Microsoft has just like pretended follows even minimal security practices, despite just launching four years ago with no protection from bad actors whatsoever and then never implementing any improvements since.

replies(2): >>44372958 #>>44373306 #

dale_huevo ◴[25 Jun 25 03:03 UTC] No.44373306[source]▶

>>44372923 #

winget is just Windows developers' version of curl | bash. Yet another example of Microsoft copying Linux features.

replies(2): >>44373331 #>>44376065 #

ocdtrekkie ◴[25 Jun 25 03:08 UTC] No.44373331[source]▶

>>44373306 #

Except curl | bash definitely executes code by the author controlling the URL you put in, and if the URL is HTTPS, in a reasonably secure fashion.

There is no validation when you winget whether or not the executable is from the official source or that a third party contributor didn't tamper with how it's maintained.

replies(3): >>44373345 #>>44373356 #>>44373443 #

1. dgfitz ◴[25 Jun 25 03:39 UTC] No.44373443[source]▶

>>44373331 #

curl | bash is absolutely on my very short list of “things I’ll never do” and I wince when I see it. rm -rf starting from / is another. I watched someone type in (as root) “rm -rf / home/user/folder” once. By the time I realized what had happened it was too late.

↑

Microsoft Edit