On 2/27/23 4:22 PM, Dan Cross wrote:
[COFF]
On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
On 2/27/23 4:01 PM, segaloco wrote:
The official Rust book lists a blind script grab
from a website piped into a shell as their "official" install mechanism.
Well, I suppose if it's from a trustworthy source...
(Sorry, my eyes rolled so hard they're bouncing on the floor right now.)
I find this a little odd. If I go back to O'Reilly books from the
early 90s, there was advice to do all sorts of suspect things in them,
Sure. My sense is that the world is a less trustworthy place today, that
there are more bad actors out there, and that promoting unsafe practices
like this does little good. If practices like this become the norm (and
they have), it gets very easy to trick someone (or worse, compromise the
server and replace the script with something that does just a little bit
extra). Blindly executing code you get from elsewhere as root isn't a
great idea.
Look at the compromises the Python community has been dealing with
recently, involving replacing common packages on well-known repository
sites with malicious ones.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet(a)case.edu
http://tiswww.cwru.edu/~chet/