[constantcrying]

It is an awful habit of some open source projects to have the official way to install their software be to execute a shell script from the Internet. Nobody reads it, as they are usually quite complex and given the xz situation a well crafted shell script can seem harmless while being very dangerous.

[LeoPanthera]

How is this different to Windows users downloading a .exe file and running it?

[thomastjeffery]

Short answer: it's not, and that's the problem.

Long answer: Windows has a few conventions that make it "better", like a predictable place to install your files, a global authoritative "registry", and never having dynamically linked (and separately installed) dependencies. By sheer virtue of not having a good package manager, Windows has avoided dependency hell. That does, however, still leave it without the utility of a package manager.

[wongarsu]

Windows checks the code signing certificate of the exe, and if it isn't present and the binary not widely used shows you a big scary warning to discourage you from running it. And if the exe is signed that at least tells you where to send the police after you were infected.

Of course open source projects rarely sign their exes because those certificates are expensive ($300+/year).

[wiktor-k]

> Windows checks the code signing certificate of the exe, and if it isn't present and the binary not widely used shows you a big scary warning to discourage you from running it.

Actually even if the file is correctly signed but is new users will see the warning banners. (Unless using the more expensive EV Code Signing certs)

> Of course open source projects rarely sign their exes because those certificates are expensive ($300+/year).

I'm not sure where the $300/ year comes from but one can get valid certs for less than 50 EUR a year (https://shop.certum.eu/open-source-code-signing-on-simplysig...). I got a physical key one for 65 EUR and it worked just fine.

If the open source project is widely recognizable I'd suggest contacting https://signpath.org/ to get code signing for free (as in beer) via simple Github Action workflow.

[wongarsu]

That's great to see that they are so cheap now for open source work. I must have remembered the price of EV certificates (which are handy for completely getting rid of the warning screen and for getting Windows Defender off your back)

[bee_rider]

I skim little python or bash scripts after downloading them. Therefore, there’s at least one person who does it… sometimes. Nobody checks an exe!

Mostly it is the same though shrug. There thankfully don’t seem to be many hackers going after the niche of desktop Linux users.

[duped]

It's better because you almost never need to give root permissions to the installer, unlike on Windows

[kevincox]

Yeah, usually it is just your user account: https://xkcd.com/1200/

[Hamuko]

Didn't the xz situation kinda prove that even reading the script is probably not gonna do you a lot of good if you're up against someone smart?

[xandrius]

Exactly, also if you already go thinking in adversarial terms when using something, why would you even use the thing to begin with?

Maybe I'm too naïve.

[samtheprogram]

> given the xz situation a well crafted shell script can seem harmless while being very dangerous

That’s exactly what they are saying.

[wizzwizz4]

The xz situation proved the opposite: if you're up against someone smart, you won't read the script (and you'll think you have).

[ta1243]

The xz situation proved that while you didn't read the script, someone did detect the problem. It shows the benefit of many-eyes.