Hacker News new | ask | show | jobs
by capableweb 1746 days ago
If you're smart enough to realize that there might be something to worry about, you should be smart enough to be able to figure out how to divide the command into three parts instead of one (download the script, inspect the contents and then run the same inspected [local] script).

Every time a project with curl | sh is featured on HN this comes up. At this point we might as well write a bot that scrapes submitted pages for "curl * | * (sh|bash)" and leave this comment for all of them.
1 comments
uzakov 1745 days ago
> If you're smart enough to realize that there might be something to worry about, you should be smart enough to be able to figure out how to

This is gatekeeping 101. Some people are just starting out in security/software engineering and things like this might not be obvious to them. It's good that you have suggested what to do but there are different ways to "suggest" things.

link
capableweb 1745 days ago
> This is gatekeeping 101

What? How?

> Some people are just starting out in security/software engineering and things like this might not be obvious to them

That's fair enough. But I wished these beginners then didn't make claims like "security tools cannot be installed like this, it's insecure", and we would all be better off.

Either you know what you're talking about and you share your knowledge. Or, you listen and ask questions in order to eventually know what you're talking about.

link
uzakov 1745 days ago
>> This is gatekeeping 101

> What? How? In many hobby communities, whenever new people ask questions, which are obvious to the more experienced people, some more experienced people become hostile/use more hostile language/say things like "you should know this wtf" etc. A fairly recent example I saw on Reddit of what I mean https://www.reddit.com/r/AdeptusMechanicus/comments/h7s5gw/g...

> That's fair enough. But I wished these beginners then didn't make claims like "security tools cannot be installed like this, it's insecure", and we would all be better off.

I understand where you are coming from but this is an eternal struggle with any profession.

> Either you know what you're talking about and you share your knowledge. Or, you listen and ask questions in order to eventually know what you're talking about.

Yes and no, this is Dunning-Kruger effect quite often https://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect https://imgur.com/r/psychology/jbo2gy5

link
kovek 1745 days ago
So ‘curl; cat; bash’ and not ‘curl | sh’ because the server can detect the pace/existence of the pipe and sneak in some unsafe commands.
link