Hacker News new | ask | show | jobs
by ajross 355 days ago
> How are you actually verifying the software that you install?

By installing it through a well-audited, cryptocraphically-signed and community-maintained package list with a solid security history. What?

The bug here isn't that "it's hard to make downloading scripts secure!", it's that people on macs (and a few other communities, but really it's just OS X culture at fault here) insist on developing software with outrageous hackery like this and refuse to demand better from their platform.

Fix that. Don't pretend that linting (!!) shell scripts pulled off the open internet is going to do anything.
1 comments
subjectsigma 354 days ago
Why do you think it’s OS X culture and not Rust culture? Popular rust tools like starship, atuin, and cargo itself ask you to curl an installer. They certainly didn’t invent this but they did re popularize it
link
ajross 354 days ago
Most non-Apple rust users get it via a Linux distro's package manager, or by building from source. And after installation cargo is, if not Debian-quality, reasonably secure vs. attack (sub-linux but better than npm, basically).

While there are surely exceptions, that nonsense about "just run this unauthenticated script URL" is something unique the the Mac experience. And it's horrifying.

link
subjectsigma 354 days ago
> While there are surely exceptions, that nonsense ... is something unique the the Mac experience

Wait, so is it unique, or are there exceptions?... You can't really have it both ways, right? The more I think about this, it's a silly argument with no real evidence supporting it and I'm curious as to how you even thought of it.

> Most non-Apple rust users get it via a Linux distro's package manager, or by building from source.

Really? That's not what the official Rust documentation says to do. It says to curl-bash-pipe: https://doc.rust-lang.org/cargo/getting-started/installation... So how do you know Linux users are not doing this?

This guy made a list (which is now four years old) of projects that do this: https://kubikpixel.github.io/pipeinstall/ Not a single one is Mac only, all Linux or cross-platform. I'm sure it is woefully incomplete.

Here's another list: https://github.com/nightwatchcybersecurity/dont_curl_and_bas... I believe Homebrew is the only Mac-specific software on the list, otherwise it's all Linux or cross-platform.

Yet another list posted to HN in 2016, nearly all Linux software, including some GNU projects: https://gnu.moe/wallofshame.md (Though there are some entries here that were already in the other two)

The more I think about it, it's bizarre and kind of funny. There's so many real things you can hate on Apple (fans) for, why choose to make up stuff about their nefarious curl-bash practices?

link