←back to thread

Java Hello World, LLVM Edition

(www.javaadvent.com)
200 points ingve | 7 comments | 07 Dec 25 11:51 UTC | HN request time: 0s | source | bottom
Show context
tuhgdetzhh ◴[07 Dec 25 15:13 UTC] No.46182258[source]
I'm always a bit shocked how casual people people wget and execute shell scripts as part of their install process.

This is the equivalent of giving an author of a website remote code execution (RCE) on your computer.

I get the idea that you can download the script first and carefully read it, but I think that 99% of people won't.

replies(5): >>46182378 #>>46182490 #>>46183270 #>>46184246 #>>46184808 #
1. balder1991 ◴[07 Dec 25 15:28 UTC] No.46182378[source]
Even assuming it’s not malicious, the script can mess up your environment configuration.
replies(2): >>46182619 #>>46189863 #
2. exe34 ◴[07 Dec 25 15:56 UTC] No.46182619[source]
I'm so thankful for nixos for making it hard for me to give in to that temptation. you always think "oh just this once". but with nixos I either have to do it right or not bother.
replies(1): >>46182859 #
3. hombre_fatal ◴[07 Dec 25 16:24 UTC] No.46182859[source]
NixOS gives you a place to configure things in a reproducible way, but it doesn’t require you do it.
replies(2): >>46184395 #>>46185069 #
4. tombert ◴[07 Dec 25 19:35 UTC] No.46184395{3}[source]
It sort of does actually, at least if you don't have nix-ld enabled. A lot of programs simply won't start if they're not static-linked, and so a lot of the time if you download a third-party script, or try to install it when the `curl somesite.blah | sh`, it actually will not work. Moreover, it also is likely that it won't be properly linked in your path unless you do it thr right way.
5. exe34 ◴[07 Dec 25 20:55 UTC] No.46185069{3}[source]
$ ./Downloads/tmp/xpack-riscv-none-elf-gcc-15.2.0-1/bin/riscv-none-elf-cpp Could not start dynamically linked executable: ./Downloads/tmp/xpack-riscv-none-elf-gcc-15.2.0-1/bin/riscv-none-elf-cpp NixOS cannot run dynamically linked executables intended for generic linux environments out of the box. For more information, see: https://nix.dev/permalink/stub-ld

You have to go out of your way to make something like that run in an fhs env. By that point, you've had enough time to think, even with ADHD.

6. maccard ◴[08 Dec 25 08:38 UTC] No.46189863[source]
So can a random deb, or npm package, or pip wheel? You’re either ok with executing unverified code or not - piping wget into bash doesn’t change that
replies(1): >>46190940 #
7. dubi_steinkek ◴[08 Dec 25 11:05 UTC] No.46190940[source]
Maybe they can with postinstall scripts, but they usually don't.

For the most part, installing packaged software simply extracts an archive to the filesystem, and you can uninstall using the standard method (apt remove, uv tool remove, ...).

Scripts are way less standardized. In this case it's not an argument about security, but about convenience and not messing up your system.