←back to thread

Java Hello World, LLVM Edition

(www.javaadvent.com)
200 points ingve | 2 comments | 07 Dec 25 11:51 UTC | HN request time: 0s | source
Show context
tuhgdetzhh ◴[07 Dec 25 15:13 UTC] No.46182258[source]
I'm always a bit shocked how casual people people wget and execute shell scripts as part of their install process.

This is the equivalent of giving an author of a website remote code execution (RCE) on your computer.

I get the idea that you can download the script first and carefully read it, but I think that 99% of people won't.

replies(5): >>46182378 #>>46182490 #>>46183270 #>>46184246 #>>46184808 #
stouset ◴[07 Dec 25 20:24 UTC] No.46184808[source]
I’m always a bit shocked how seriously people take concerns over the install script for a binary executable they’re already intending to trust.
replies(2): >>46185279 #>>46186741 #
shakna ◴[08 Dec 25 00:01 UTC] No.46186741[source]
Between you and me, are a bunch of other hops. Blindly trusting dependencies is one part of why npm is burning down at the moment.

Why trust un-signatured files hosted on a single source of truth? It isn't the 90s anymore.

replies(2): >>46188405 #>>46208400 #
1. stouset ◴[09 Dec 25 18:16 UTC] No.46208400[source]

    $ curl ${flags} https://site.io/install.sh | sh

    $ curl ${flags} https://site.io/tool > ./tool
    $ chmod u+x ./tool
    $ ./tool
Both of these are effectively the same damn thing but everyone loses their minds over the first one.

Also, a lot of those install scripts do check signatures of the binaries they host. And if you’re concerned that someone could have owned the webserver it’s hosted on, then they can just as easily replace the public key used for verification in the written instructions on the website.

replies(1): >>46209345 #
2. shakna ◴[09 Dec 25 19:24 UTC] No.46209345[source]
I'm not advocating for either of those.

    pacman -Sy {tool}
    pkg_add {tool}
    apt install {tool}
Even the AUR does a lot more to make you secure, than a straight curl - even though throwing things up there is easy.