28 Feb
2023
28 Feb
'23
8:53 p.m.
On 2/27/23 7:28 PM, Dan Cross wrote:
We were talking about the general practice before Matt used `rustup' as a
specific example. I'm glad we agree it's a bad idea.
Sure, there's always a limit to where trust takes over. It's ultimately
who you trust to do the packaging: is it your distro/OS vendor, your
package manager (e.g., macports, homebrew), free software distributors
(e.g., signed tar files from gnu.org) or the authors themselves?
Huh? Rustup is the context that this came up in:
I think if you look back in the thread, you'll find that the message from
segaloco was a reply to a message of mine where I criticized the practice
of piping from `wget' to `sh'. That's the context.
But just
because you don't run `sudo sh' when using
`rustup' doesn't mean there aren't a disturbingly large number of
installers -- or whatever -- for which that is the recommended workflow.
Nor does the fact that `rustup' is a safe example mean that this is a safe
practice in general. I posit that it's a bad idea in general to blindly
run scripts you download from the Internet, and it's especially bad to
do it as root. Depending on how you accept risk, you can choose to do
things about it, but that's often not part of recommendations.
I cannot help but point out that this is moving the goalposts somewhat
from the specific context that I was responding to. If we're now
talking about things in general then I agree with you. In any case,
if you want
to, you can have a workflow where you rebuild configure yourself.
This is true, but then there's the autotools source stuff that you've
got to inspect as well, and on and on. Or perhaps they just cargo-cult it and don't
really think about it, which (I think) hews closer to the argument
that folks here have been making.
That's pretty close to the point I was making originally.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet(a)case.edu http://tiswww.cwru.edu/~chet/