Most active commenters
  • shakna(5)
  • ndsipa_pomu(4)
  • saagarjha(3)

←back to thread

Java Hello World, LLVM Edition

(www.javaadvent.com)
200 points ingve | 35 comments | 07 Dec 25 11:51 UTC | HN request time: 0.471s | source | bottom
1. tuhgdetzhh ◴[07 Dec 25 15:13 UTC] No.46182258[source]
I'm always a bit shocked how casual people people wget and execute shell scripts as part of their install process.

This is the equivalent of giving an author of a website remote code execution (RCE) on your computer.

I get the idea that you can download the script first and carefully read it, but I think that 99% of people won't.

replies(5): >>46182378 #>>46182490 #>>46183270 #>>46184246 #>>46184808 #
2. balder1991 ◴[07 Dec 25 15:28 UTC] No.46182378[source]
Even assuming it’s not malicious, the script can mess up your environment configuration.
replies(2): >>46182619 #>>46189863 #
3. zenlot ◴[07 Dec 25 15:41 UTC] No.46182490[source]
If you don't trust the software, don't install it.
replies(1): >>46189317 #
4. exe34 ◴[07 Dec 25 15:56 UTC] No.46182619[source]
I'm so thankful for nixos for making it hard for me to give in to that temptation. you always think "oh just this once". but with nixos I either have to do it right or not bother.
replies(1): >>46182859 #
5. hombre_fatal ◴[07 Dec 25 16:24 UTC] No.46182859{3}[source]
NixOS gives you a place to configure things in a reproducible way, but it doesn’t require you do it.
replies(2): >>46184395 #>>46185069 #
6. OptionOfT ◴[07 Dec 25 17:16 UTC] No.46183270[source]
Equally I don't like how many instructions and scripts everywhere use shorthands.

Sometimes you see curl -sSLfO. Please, use the long form. It makes life easier for everybody. It makes it easier to verify, and to look up. Finding --silent in curl's docs is easier than reading through every occurrence of -s.

   curl --silent --show-error --location --fail --remote name https://example.com/script.sh
Obligatory xkcd: https://xkcd.com/1168/
replies(5): >>46183416 #>>46185213 #>>46186791 #>>46189653 #>>46191309 #
7. ndsipa_pomu ◴[07 Dec 25 17:34 UTC] No.46183416[source]
Absolutely agree.

The shorthands are for when typing it at a console and the long form versions should be used in scripts.

8. VMG ◴[07 Dec 25 19:19 UTC] No.46184246[source]
The thing that gets installed, if it is an executable, usually also has permissions to do scary things. Why is the installation process so scrutinized?
replies(2): >>46187131 #>>46195853 #
9. tombert ◴[07 Dec 25 19:35 UTC] No.46184395{4}[source]
It sort of does actually, at least if you don't have nix-ld enabled. A lot of programs simply won't start if they're not static-linked, and so a lot of the time if you download a third-party script, or try to install it when the `curl somesite.blah | sh`, it actually will not work. Moreover, it also is likely that it won't be properly linked in your path unless you do it thr right way.
10. stouset ◴[07 Dec 25 20:24 UTC] No.46184808[source]
I’m always a bit shocked how seriously people take concerns over the install script for a binary executable they’re already intending to trust.
replies(2): >>46185279 #>>46186741 #
11. exe34 ◴[07 Dec 25 20:55 UTC] No.46185069{4}[source]
$ ./Downloads/tmp/xpack-riscv-none-elf-gcc-15.2.0-1/bin/riscv-none-elf-cpp Could not start dynamically linked executable: ./Downloads/tmp/xpack-riscv-none-elf-gcc-15.2.0-1/bin/riscv-none-elf-cpp NixOS cannot run dynamically linked executables intended for generic linux environments out of the box. For more information, see: https://nix.dev/permalink/stub-ld

You have to go out of your way to make something like that run in an fhs env. By that point, you've had enough time to think, even with ADHD.

12. Terr_ ◴[07 Dec 25 21:13 UTC] No.46185213[source]
For a small flight of fancy, imagine if each program had a --for-docs argument, which causes it to simply spit out the canonical long-form version equivalent to whatever else it has been called with.
replies(1): >>46190337 #
13. romaniitedomum ◴[07 Dec 25 21:22 UTC] No.46185279[source]
> I’m always a bit shocked how seriously people take concerns over the install script for a binary executable they’re already intending to trust.

The issue is provenance. Where is the script getting the binary from? Who built that binary? How do we know that binary wasn't tampered with? I'll lay odds the install script isn't doing any kind of GPG/PGP signature check. It's probably not even doing a checksum check.

I'm prepared to trust an executable built by certain organisations and persons, provided I can trace a chain of trust from what I get back to them.

replies(1): >>46186706 #
14. ◴[07 Dec 25 23:57 UTC] No.46186706{3}[source]
15. shakna ◴[08 Dec 25 00:01 UTC] No.46186741[source]
Between you and me, are a bunch of other hops. Blindly trusting dependencies is one part of why npm is burning down at the moment.

Why trust un-signatured files hosted on a single source of truth? It isn't the 90s anymore.

replies(2): >>46188405 #>>46208400 #
16. scrame ◴[08 Dec 25 00:08 UTC] No.46186791[source]
agreed. i get if you're great at cli usage or have your own scripts, but if you're publishing for general use, it should be long form. that includes even utility scripts for a small team.

also, putting it out long-form you might catch some things you do out of habit, rather than what's necessary for the job.

replies(1): >>46190315 #
17. davnicwil ◴[08 Dec 25 00:59 UTC] No.46187131[source]
I think there's a fundamental psychological reason for this - people want to feel like some ritual has been performed that makes at least some level of superficial sense, after which they don't have to worry.

You see this in all the obvious examples of physical security.

In the case of software it's the installation that's the ritual I guess. Complete trust must be conferred in the software itself by definition, so people just feel better knowing for near certain that the software installed is indeed 'the software itself'.

18. saagarjha ◴[08 Dec 25 04:40 UTC] No.46188405{3}[source]
What’s your alternative?
replies(1): >>46189112 #
19. shakna ◴[08 Dec 25 06:34 UTC] No.46189112{4}[source]
A mirrored package manager, where signature and executable are always grabbed from different sources.

Like apt, dnf, and others.

replies(1): >>46189844 #
20. nurettin ◴[08 Dec 25 07:12 UTC] No.46189317[source]
Trusting software would be foolish. Most software has access to file system and the net. Due to practical reasons, I have no energy or time to verify whether the next update of libsecure came with a trojan or stole my env, neither do you. I just acknowledge this fact, take a risk and install it.
21. yjftsjthsd-h ◴[08 Dec 25 08:07 UTC] No.46189653[source]
> Finding --silent in curl's docs is easier than reading through every occurrence of -s.

Dumb trick: Search prefixed with 2 spaces.

  man curl
  /  -s
Yields exactly one hit on my machine. In the general case, you may have to try one and two spaces.
22. saagarjha ◴[08 Dec 25 08:36 UTC] No.46189844{5}[source]
Pretty sure my apt sources have the signing and package pointing to the same place
replies(1): >>46189948 #
23. maccard ◴[08 Dec 25 08:38 UTC] No.46189863[source]
So can a random deb, or npm package, or pip wheel? You’re either ok with executing unverified code or not - piping wget into bash doesn’t change that
replies(1): >>46190940 #
24. shakna ◴[08 Dec 25 08:50 UTC] No.46189948{6}[source]
If you have more than a single source, then apt will already be checking this for you.

The default is more than a single source.

replies(1): >>46190634 #
25. ndsipa_pomu ◴[08 Dec 25 09:40 UTC] No.46190315{3}[source]
Another possible advantage is that I invariably have to check the man page to find the appropriate long-form option and sometimes spot an option that I didn't know about.
26. ndsipa_pomu ◴[08 Dec 25 09:44 UTC] No.46190337{3}[source]
Or, a separate program that can convert from short to long form:

> for-docs "ls -lrth /mnt/data"

ls -l --reverse -t --human-readable -- /mnt/data

(I'd put in an option to put the options alphabetically too)

replies(1): >>46197395 #
27. saagarjha ◴[08 Dec 25 10:21 UTC] No.46190634{7}[source]
All of mine point to like somethingsomething.ubuntu.com
replies(1): >>46191076 #
28. dubi_steinkek ◴[08 Dec 25 11:05 UTC] No.46190940{3}[source]
Maybe they can with postinstall scripts, but they usually don't.

For the most part, installing packaged software simply extracts an archive to the filesystem, and you can uninstall using the standard method (apt remove, uv tool remove, ...).

Scripts are way less standardized. In this case it's not an argument about security, but about convenience and not messing up your system.

29. shakna ◴[08 Dec 25 11:29 UTC] No.46191076{8}[source]
If it points to mirror.ubuntu.com, it'll be mirroring at host end, instead of inside apt. But as apt does do resolution to a list, it'll be fetching from multiple places at once.
30. lionkor ◴[08 Dec 25 12:06 UTC] No.46191309[source]
Aren't there tools for which the short flags are standardized (e.g. POSIX) but the long flags aren't?
31. tuhgdetzhh ◴[08 Dec 25 18:30 UTC] No.46195853[source]
It would raise the same kind of alert for me if someone used wget to download a binary executable instead of a shell script.

The issue is not the specific form in which code is executed on your machine, but rather who is allowed by you to run code on your computer.

I don't trust arbitrary websites from the Internet, especially when they are not cryptographically protected against malicious tampering.

However, I do trust, for instance, the Debian maintainers, as I believe they have thoroughly vetted and tested the executables they distribute, with a cryptographic signature, to millions of users worldwide.

32. Terr_ ◴[08 Dec 25 20:43 UTC] No.46197395{4}[source]
While I'd appreciate that facility too, it seems... even-more-fanciful, as one tool would need to somehow incorporate all the logic and quirks of all supported commands, including ones which could be very destructive if anything went wrong.

Kind of like positing a master `dry-run` command as opposed to different commands implementing `--dry-run` arguments.

replies(1): >>46202396 #
33. ndsipa_pomu ◴[09 Dec 25 07:55 UTC] No.46202396{5}[source]
I did muck around with using "sed" to process the "man" output to find a relevant long option in a one-liner, so it wouldn't be too difficult to implement.

I did something like this:

  _command="sed" _option="n"
  man -- "${_command}" | sed --quiet --expression  "s/^       -${_option}.*, //p"
Then I realised that a bit of logic is needed (or more complicated regexp) to deal with some exceptions and moved onto something else.
34. stouset ◴[09 Dec 25 18:16 UTC] No.46208400{3}[source]

    $ curl ${flags} https://site.io/install.sh | sh

    $ curl ${flags} https://site.io/tool > ./tool
    $ chmod u+x ./tool
    $ ./tool
Both of these are effectively the same damn thing but everyone loses their minds over the first one.

Also, a lot of those install scripts do check signatures of the binaries they host. And if you’re concerned that someone could have owned the webserver it’s hosted on, then they can just as easily replace the public key used for verification in the written instructions on the website.

replies(1): >>46209345 #
35. shakna ◴[09 Dec 25 19:24 UTC] No.46209345{4}[source]
I'm not advocating for either of those.

    pacman -Sy {tool}
    pkg_add {tool}
    apt install {tool}
Even the AUR does a lot more to make you secure, than a straight curl - even though throwing things up there is easy.