←back to thread

Java Hello World, LLVM Edition

(www.javaadvent.com)
200 points ingve | 6 comments | 07 Dec 25 11:51 UTC | HN request time: 0s | source | bottom
Show context
tuhgdetzhh ◴[07 Dec 25 15:13 UTC] No.46182258[source]
I'm always a bit shocked how casual people people wget and execute shell scripts as part of their install process.

This is the equivalent of giving an author of a website remote code execution (RCE) on your computer.

I get the idea that you can download the script first and carefully read it, but I think that 99% of people won't.

replies(5): >>46182378 #>>46182490 #>>46183270 #>>46184246 #>>46184808 #
stouset ◴[07 Dec 25 20:24 UTC] No.46184808[source]
I’m always a bit shocked how seriously people take concerns over the install script for a binary executable they’re already intending to trust.
replies(2): >>46185279 #>>46186741 #
shakna ◴[08 Dec 25 00:01 UTC] No.46186741[source]
Between you and me, are a bunch of other hops. Blindly trusting dependencies is one part of why npm is burning down at the moment.

Why trust un-signatured files hosted on a single source of truth? It isn't the 90s anymore.

replies(2): >>46188405 #>>46208400 #
1. saagarjha ◴[08 Dec 25 04:40 UTC] No.46188405[source]
What’s your alternative?
replies(1): >>46189112 #
2. shakna ◴[08 Dec 25 06:34 UTC] No.46189112[source]
A mirrored package manager, where signature and executable are always grabbed from different sources.

Like apt, dnf, and others.

replies(1): >>46189844 #
3. saagarjha ◴[08 Dec 25 08:36 UTC] No.46189844[source]
Pretty sure my apt sources have the signing and package pointing to the same place
replies(1): >>46189948 #
4. shakna ◴[08 Dec 25 08:50 UTC] No.46189948{3}[source]
If you have more than a single source, then apt will already be checking this for you.

The default is more than a single source.

replies(1): >>46190634 #
5. saagarjha ◴[08 Dec 25 10:21 UTC] No.46190634{4}[source]
All of mine point to like somethingsomething.ubuntu.com
replies(1): >>46191076 #
6. shakna ◴[08 Dec 25 11:29 UTC] No.46191076{5}[source]
If it points to mirror.ubuntu.com, it'll be mirroring at host end, instead of inside apt. But as apt does do resolution to a list, it'll be fetching from multiple places at once.