Java Hello World, LLVM Edition

(www.javaadvent.com)

200 points ingve | 1 comments | 07 Dec 25 11:51 UTC | HN request time: 0s | source

Show context

tuhgdetzhh ◴[07 Dec 25 15:13 UTC] No.46182258[source]▶

>>46181076 (OP) #

I'm always a bit shocked how casual people people wget and execute shell scripts as part of their install process.

This is the equivalent of giving an author of a website remote code execution (RCE) on your computer.

I get the idea that you can download the script first and carefully read it, but I think that 99% of people won't.

replies(5): >>46182378 #>>46182490 #>>46183270 #>>46184246 #>>46184808 #

VMG ◴[07 Dec 25 19:19 UTC] No.46184246[source]▶

>>46182258 #

The thing that gets installed, if it is an executable, usually also has permissions to do scary things. Why is the installation process so scrutinized?

replies(2): >>46187131 #>>46195853 #

1. tuhgdetzhh ◴[08 Dec 25 18:30 UTC] No.46195853[source]▶

>>46184246 #

It would raise the same kind of alert for me if someone used wget to download a binary executable instead of a shell script.

The issue is not the specific form in which code is executed on your machine, but rather who is allowed by you to run code on your computer.

I don't trust arbitrary websites from the Internet, especially when they are not cryptographically protected against malicious tampering.

However, I do trust, for instance, the Debian maintainers, as I believe they have thoroughly vetted and tested the executables they distribute, with a cryptographic signature, to millions of users worldwide.

↑