Hacker News new | ask | show | jobs
by Ao7bei3s 3932 days ago
What, just because he's suggesting to use curl to download a file?

There's a difference between "curl ... | sh -" and this.

He's even separated it nicely into steps, so you can view that (very short) file in between.

What worries me more is that he doesn't properly quote $@, so this script will break when there are spaces in the filename. One of the reasons I hate bash.
2 comments
RyanZAG 3932 days ago
Wow, one of these days someone needs to make a russian roulette binary that has a 1 in 20 chance to delete your home directory and post it to HN. Bonus points for including a link to the source without the russian roulette so that people can 'read the source for the binary' before running it.

"Don't worry, you don't even need to 'sudo' this so it can't do any harm!" See, it's not running as root while it wipes clean your home folder.

link
Ao7bei3s 3932 days ago
Already exists, but is completely unrelated.

It's not curl thats the problem, it's combination of download and execution in the "curl | sh -" pattern, which is not used in the article.

link
rsy96 3932 days ago
Not because he is suggesting curl. But because he is suggesting curling without TLS.
link
Ao7bei3s 3932 days ago
TLS wouldn't help; the greatest risk is the author himself sending a malicious script (no offense, Sergii).

So everyone needs to check the script before running it anyway. Which is easy, because it's a very short script.

(Of course, it's so short that it might as well have been an alias or, even better, just a copy-pasteable git command, but I guess the author really wanted to call it 'git punish'.)

link
greggman 3932 days ago
How is this any different than any app/executable/script period? When you download VLC did you read all the code to check it's not installing a root kit? When you added some python lib do you go through all the code and make sure that on the 20th run it doesn't upload your private ssh keys? Have you checked all the vim or emacs code in your latest download before running it? Maybe I'm missing the issue but they all seem about the same level of bad.

Am I missing something?

link
Ao7bei3s 3932 days ago
No, what you're saying is exactly my point: there's nothing wrong here.
link