←back to thread

Java Hello World, LLVM Edition

(www.javaadvent.com)
200 points ingve | 1 comments | 07 Dec 25 11:51 UTC | HN request time: 0.205s | source
Show context
tuhgdetzhh ◴[07 Dec 25 15:13 UTC] No.46182258[source]
I'm always a bit shocked how casual people people wget and execute shell scripts as part of their install process.

This is the equivalent of giving an author of a website remote code execution (RCE) on your computer.

I get the idea that you can download the script first and carefully read it, but I think that 99% of people won't.

replies(5): >>46182378 #>>46182490 #>>46183270 #>>46184246 #>>46184808 #
stouset ◴[07 Dec 25 20:24 UTC] No.46184808[source]
I’m always a bit shocked how seriously people take concerns over the install script for a binary executable they’re already intending to trust.
replies(2): >>46185279 #>>46186741 #
romaniitedomum ◴[07 Dec 25 21:22 UTC] No.46185279[source]
> I’m always a bit shocked how seriously people take concerns over the install script for a binary executable they’re already intending to trust.

The issue is provenance. Where is the script getting the binary from? Who built that binary? How do we know that binary wasn't tampered with? I'll lay odds the install script isn't doing any kind of GPG/PGP signature check. It's probably not even doing a checksum check.

I'm prepared to trust an executable built by certain organisations and persons, provided I can trace a chain of trust from what I get back to them.

replies(1): >>46186706 #
1. ◴[07 Dec 25 23:57 UTC] No.46186706[source]