←back to thread

Java Hello World, LLVM Edition

(www.javaadvent.com)
200 points ingve | 2 comments | 07 Dec 25 11:51 UTC | HN request time: 0.002s | source
Show context
tuhgdetzhh ◴[07 Dec 25 15:13 UTC] No.46182258[source]
I'm always a bit shocked how casual people people wget and execute shell scripts as part of their install process.

This is the equivalent of giving an author of a website remote code execution (RCE) on your computer.

I get the idea that you can download the script first and carefully read it, but I think that 99% of people won't.

replies(5): >>46182378 #>>46182490 #>>46183270 #>>46184246 #>>46184808 #
balder1991 ◴[07 Dec 25 15:28 UTC] No.46182378[source]
Even assuming it’s not malicious, the script can mess up your environment configuration.
replies(2): >>46182619 #>>46189863 #
1. maccard ◴[08 Dec 25 08:38 UTC] No.46189863[source]
So can a random deb, or npm package, or pip wheel? You’re either ok with executing unverified code or not - piping wget into bash doesn’t change that
replies(1): >>46190940 #
2. dubi_steinkek ◴[08 Dec 25 11:05 UTC] No.46190940[source]
Maybe they can with postinstall scripts, but they usually don't.

For the most part, installing packaged software simply extracts an archive to the filesystem, and you can uninstall using the standard method (apt remove, uv tool remove, ...).

Scripts are way less standardized. In this case it's not an argument about security, but about convenience and not messing up your system.