27 Feb
2023
27 Feb
'23
9:22 p.m.
[COFF]
On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
On 2/27/23 4:01 PM, segaloco wrote:
I find this a little odd. If I go back to O'Reilly books from the
early 90s, there was advice to do all sorts of suspect things in them,
such as fetching random bits of pieces from random FTP servers (or
even using email fetch tarballs [!!]). Or downloading shell archives
from USENET.
And of course you _can_ download the script and read through it if you want.
And no one forces anyone to use `rustup`. Most vendors ship some
version of Rust through their package management system these days.
- Dan C.
The official Rust book lists a blind script grab
from a website piped into a shell as their "official" install mechanism.
Well, I suppose if it's from a trustworthy source...
(Sorry, my eyes rolled so hard they're bouncing on the floor right now.) 
27 Feb
27 Feb
9:42 p.m.
New subject: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux]
On 2/27/23 4:22 PM, Dan Cross wrote:
[COFF]
On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
Sure. My sense is that the world is a less trustworthy place today, that
there are more bad actors out there, and that promoting unsafe practices
like this does little good. If practices like this become the norm (and
they have), it gets very easy to trick someone (or worse, compromise the
server and replace the script with something that does just a little bit
extra). Blindly executing code you get from elsewhere as root isn't a
great idea.
Look at the compromises the Python community has been dealing with
recently, involving replacing common packages on well-known repository
sites with malicious ones.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet(a)case.edu http://tiswww.cwru.edu/~chet/
On 2/27/23 4:01 PM, segaloco wrote:
I find this a little odd. If I go back to O'Reilly books from the
early 90s, there was advice to do all sorts of suspect things in them, The official Rust book lists a blind script grab
from a website piped into a shell as their "official" install mechanism.
Well, I suppose if it's from a trustworthy source...
(Sorry, my eyes rolled so hard they're bouncing on the floor right now.)
10:01 p.m.
New subject: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux]
On Mon, Feb 27, 2023 at 4:42 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
On 2/27/23 4:22 PM, Dan Cross wrote:
FTR, you don't usually do this as root, as by default `rustup`
installs into $HOME.
I'm not sure how this is any less safe than downloading, say, a
tarball and running the contained `configure` script, except that in
the latter case one at least has the chance to look at the script
contents.
[COFF]
On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
Sure. My sense is that the world is a less trustworthy place today, that
there are more bad actors out there, and that promoting unsafe practices
like this does little good. If practices like this become the norm (and
they have), it gets very easy to trick someone (or worse, compromise the
server and replace the script with something that does just a little bit
extra). Blindly executing code you get from elsewhere as root isn't a
great idea. On 2/27/23 4:01 PM, segaloco wrote:
I find this a little odd. If I go back to O'Reilly books from the
early 90s, there was advice to do all sorts of suspect things in them, The official Rust book lists a blind script grab
from a website piped into a shell as their "official" install mechanism.
Well, I suppose if it's from a trustworthy source...
(Sorry, my eyes rolled so hard they're bouncing on the floor right now.) Look at the compromises the Python community has been
dealing with
recently, involving replacing common packages on well-known repository
sites with malicious ones.
That seems like an issue that is independent of the delivery mechanism.
FWIW, when my old team brought the Rust toolchain into Google, we
investigated this issue at length. Another team (Android security, I
believe) had used `mrustc`, which is a Rust compiler written in C++,
to bootstrap the "real" Rust compiler from source. We then downloaded
and vendored each dependent crate (Rust library) that we needed, with
an auditing step. So it's entirely possible to work with Rust without
ever using `rustup`.
- Dan C.
11:23 p.m.
New subject: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux]
On 2/27/23 5:01 PM, Dan Cross wrote:
I suppose it's workflow-dependent. If your workflow for python development
involves using open-source components (ctx, pytorch, etc.) you get from
some repository like PyPI, you're going to be susceptible to attacks like
this.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet(a)case.edu http://tiswww.cwru.edu/~chet/
On Mon, Feb 27, 2023 at 4:42 PM Chet Ramey
<chet.ramey(a)case.edu> wrote:
You seem to be concentrating on `rustup', which is fine, it's your
preferred example. But just because you don't run `sudo sh' when using
`rustup' doesn't mean there aren't a disturbingly large number of
installers -- or whatever -- for which that is the recommended workflow.
Nor does the fact that `rustup' is a safe example mean that this is a safe
practice in general. I posit that it's a bad idea in general to blindly
run scripts you download from the Internet, and it's especially bad to
do it as root. Depending on how you accept risk, you can choose to do
things about it, but that's often not part of recommendations.
On 2/27/23 4:22 PM, Dan Cross wrote:
FTR, you don't usually do this as root, as by default `rustup`
installs into $HOME. [COFF]
On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
Sure. My sense is that the world is a less trustworthy place today, that
there are more bad actors out there, and that promoting unsafe practices
like this does little good. If practices like this become the norm (and
they have), it gets very easy to trick someone (or worse, compromise the
server and replace the script with something that does just a little bit
extra). Blindly executing code you get from elsewhere as root isn't a
great idea. On 2/27/23 4:01 PM, segaloco wrote:
> The official Rust book lists a blind script grab from a website piped into a shell as
their "official" install mechanism.
Well, I suppose if it's from a trustworthy source...
(Sorry, my eyes rolled so hard they're bouncing on the floor right now.)
I find this a little odd. If I go back to O'Reilly books from the
early 90s, there was advice to do all sorts of suspect things in them, I'm not sure how this is any less safe than
downloading, say, a
tarball and running the contained `configure` script, except that in
the latter case one at least has the chance to look at the script
contents.
Yeah, but with configure you don't want to. :-). In any case, if you want
to, you can have a workflow where you rebuild configure yourself.
Look at the compromises the Python community has
been dealing with
recently, involving replacing common packages on well-known repository
sites with malicious ones.
That seems like an issue that is independent of the delivery mechanism. 
11:42 p.m.
New subject: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux]
I think you guys are on the same team but are maybe arguing with each
other more than is needed?
On Mon, Feb 27, 2023 at 06:23:32PM -0500, Chet Ramey wrote:
On 2/27/23 5:01 PM, Dan Cross wrote:
I suppose it's workflow-dependent. If your workflow for python development
involves using open-source components (ctx, pytorch, etc.) you get from
some repository like PyPI, you're going to be susceptible to attacks like
this.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet(a)case.edu http://tiswww.cwru.edu/~chet/
--
---
Larry McVoy Retired to fishing http://www.mcvoy.com/lm/boat
On Mon, Feb 27, 2023 at 4:42 PM Chet Ramey
<chet.ramey(a)case.edu> wrote:
You seem to be concentrating on `rustup', which is fine, it's your
preferred example. But just because you don't run `sudo sh' when using
`rustup' doesn't mean there aren't a disturbingly large number of
installers -- or whatever -- for which that is the recommended workflow.
Nor does the fact that `rustup' is a safe example mean that this is a safe
practice in general. I posit that it's a bad idea in general to blindly
run scripts you download from the Internet, and it's especially bad to
do it as root. Depending on how you accept risk, you can choose to do
things about it, but that's often not part of recommendations.
On 2/27/23 4:22 PM, Dan Cross wrote:
FTR, you don't usually do this as root, as by default `rustup`
installs into $HOME. [COFF]
On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
>On 2/27/23 4:01 PM, segaloco wrote:
>>The official Rust book lists a blind script grab from a website piped into a shell
as their "official" install mechanism.
>
>Well, I suppose if it's from a trustworthy source...
>
>(Sorry, my eyes rolled so hard they're bouncing on the floor right now.)
I find this a little odd. If I go back to O'Reilly books from the
early 90s, there was advice to do all sorts of suspect things in them,
Sure. My sense is that the world is a less trustworthy place today, that
there are more bad actors out there, and that promoting unsafe practices
like this does little good. If practices like this become the norm (and
they have), it gets very easy to trick someone (or worse, compromise the
server and replace the script with something that does just a little bit
extra). Blindly executing code you get from elsewhere as root isn't a
great idea. I'm not sure how this is any less safe than
downloading, say, a
tarball and running the contained `configure` script, except that in
the latter case one at least has the chance to look at the script
contents.
Yeah, but with configure you don't want to. :-). In any case, if you want
to, you can have a workflow where you rebuild configure yourself.
Look at the compromises the Python community has
been dealing with
recently, involving replacing common packages on well-known repository
sites with malicious ones.
That seems like an issue that is independent of the delivery mechanism.
28 Feb
28 Feb
12:29 a.m.
New subject: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux]
On Mon, Feb 27, 2023 at 6:42 PM Larry McVoy <lm(a)mcvoy.com> wrote:
I think you guys are on the same team but are maybe
arguing with each
other more than is needed?
Hey, the fine old USENET tradition of being in a state of violent agreement!
- Dan C.
On Mon, Feb 27, 2023 at 06:23:32PM -0500, Chet Ramey
wrote:
On 2/27/23 5:01 PM, Dan Cross wrote:
I suppose it's workflow-dependent. If your workflow for python development
involves using open-source components (ctx, pytorch, etc.) you get from
some repository like PyPI, you're going to be susceptible to attacks like
this.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet(a)case.edu http://tiswww.cwru.edu/~chet/
--
---
Larry McVoy Retired to fishing http://www.mcvoy.com/lm/boat On Mon, Feb 27, 2023 at 4:42 PM Chet Ramey
<chet.ramey(a)case.edu> wrote:
You seem to be concentrating on `rustup', which is fine, it's your
preferred example. But just because you don't run `sudo sh' when using
`rustup' doesn't mean there aren't a disturbingly large number of
installers -- or whatever -- for which that is the recommended workflow.
Nor does the fact that `rustup' is a safe example mean that this is a safe
practice in general. I posit that it's a bad idea in general to blindly
run scripts you download from the Internet, and it's especially bad to
do it as root. Depending on how you accept risk, you can choose to do
things about it, but that's often not part of recommendations.
On 2/27/23 4:22 PM, Dan Cross wrote:
>[COFF]
>
>On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
>>On 2/27/23 4:01 PM, segaloco wrote:
>>>The official Rust book lists a blind script grab from a website piped into a
shell as their "official" install mechanism.
>>
>>Well, I suppose if it's from a trustworthy source...
>>
>>(Sorry, my eyes rolled so hard they're bouncing on the floor right now.)
>
>I find this a little odd. If I go back to O'Reilly books from the
>early 90s, there was advice to do all sorts of suspect things in them,
Sure. My sense is that the world is a less trustworthy place today, that
there are more bad actors out there, and that promoting unsafe practices
like this does little good. If practices like this become the norm (and
they have), it gets very easy to trick someone (or worse, compromise the
server and replace the script with something that does just a little bit
extra). Blindly executing code you get from elsewhere as root isn't a
great idea.
FTR, you don't usually do this as root, as by default `rustup`
installs into $HOME. I'm not sure how this is any less safe than
downloading, say, a
tarball and running the contained `configure` script, except that in
the latter case one at least has the chance to look at the script
contents.
Yeah, but with configure you don't want to. :-). In any case, if you want
to, you can have a workflow where you rebuild configure yourself.
Look at the compromises the Python community has
been dealing with
recently, involving replacing common packages on well-known repository
sites with malicious ones.
That seems like an issue that is independent of the delivery mechanism.
12:28 a.m.
New subject: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux]
On Mon, Feb 27, 2023 at 6:36 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
Hah!
I suppose it's workflow-dependent. If your workflow for python development
involves using open-source components (ctx, pytorch, etc.) you get from
some repository like PyPI, you're going to be susceptible to attacks like
this.
Indeed, supply-chain attacks both for software and hardware are
something that the industry generally hasn't given due consideration.
I think that's (slowly) changing. Hopefully we'll see more risk
analysis with respect to this going forward. Maybe the rustup folks
will even change; I've put an inquiry out.
- Dan C.
On 2/27/23 5:01 PM, Dan Cross wrote:
Huh? Rustup is the context that this came up in:
| On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
| > On 2/27/23 4:01 PM, segaloco wrote:
| > The official Rust book lists a blind script grab from a website
piped into a shell as their "official" install mechanism.
|
| Well, I suppose if it's from a trustworthy source...
|
| (Sorry, my eyes rolled so hard they're bouncing on the floor right now.)
On Mon, Feb 27, 2023 at 4:42 PM Chet Ramey
<chet.ramey(a)case.edu> wrote:
You seem to be concentrating on `rustup', which is fine, it's your
preferred example. On 2/27/23 4:22 PM, Dan Cross wrote:
FTR, you don't usually do this as root, as by default `rustup`
installs into $HOME. [COFF]
On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
> On 2/27/23 4:01 PM, segaloco wrote:
>> The official Rust book lists a blind script grab from a website piped into a
shell as their "official" install mechanism.
>
> Well, I suppose if it's from a trustworthy source...
>
> (Sorry, my eyes rolled so hard they're bouncing on the floor right now.)
I find this a little odd. If I go back to O'Reilly books from the
early 90s, there was advice to do all sorts of suspect things in them,
Sure. My sense is that the world is a less trustworthy place today, that
there are more bad actors out there, and that promoting unsafe practices
like this does little good. If practices like this become the norm (and
they have), it gets very easy to trick someone (or worse, compromise the
server and replace the script with something that does just a little bit
extra). Blindly executing code you get from elsewhere as root isn't a
great idea. But just because you don't run `sudo sh'
when using
`rustup' doesn't mean there aren't a disturbingly large number of
installers -- or whatever -- for which that is the recommended workflow.
Nor does the fact that `rustup' is a safe example mean that this is a safe
practice in general. I posit that it's a bad idea in general to blindly
run scripts you download from the Internet, and it's especially bad to
do it as root. Depending on how you accept risk, you can choose to do
things about it, but that's often not part of recommendations.
I cannot help but point out that this is moving the goalposts somewhat
from the specific context that I was responding to. If we're now
talking about things in general then I agree with you.
I'm not
sure how this is any less safe than downloading, say, a
tarball and running the contained `configure` script, except that in
the latter case one at least has the chance to look at the script
contents.
Yeah, but with configure you don't want to. :-). In any case, if you want
to, you can have a workflow where you rebuild configure yourself.
This is true, but then there's the autotools source stuff that you've
got to inspect as well, and on and on. Taken to its logical
conclusion, we're reading the source for the package (which, if one
has time, isn't necessarily a bad idea).
I think in the end, running any software package involves taking a
calculated risk in a number of dimensions: there's the obvious
correctness and security aspects, but also legal aspects with respect
to licensing and patents and so forth. For whatever it's worth, a lot
of people have decided that running a script downloaded from some HTTP
server somewhere is acceptable to them, provided it's decently
well-known and so on. Or perhaps they just cargo-cult it and don't
really think about it, which (I think) hews closer to the argument
that folks here have been making.
Look at the compromises the Python community has been
dealing with
recently, involving replacing common packages on well-known repository
sites with malicious ones.
That seems like an issue that is independent of the delivery mechanism.
2:53 p.m.
New subject: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux]
On 2/27/23 7:28 PM, Dan Cross wrote:
We were talking about the general practice before Matt used `rustup' as a
specific example. I'm glad we agree it's a bad idea.
Sure, there's always a limit to where trust takes over. It's ultimately
who you trust to do the packaging: is it your distro/OS vendor, your
package manager (e.g., macports, homebrew), free software distributors
(e.g., signed tar files from gnu.org), or the authors themselves?
Huh? Rustup is the context that this came up in:
I think if you look back in the thread, you'll find that the message from
segaloco was a reply to a message of mine where I criticized the practice
of piping from `wget' to `sh'. That's the context.
But just
because you don't run `sudo sh' when using
`rustup' doesn't mean there aren't a disturbingly large number of
installers -- or whatever -- for which that is the recommended workflow.
Nor does the fact that `rustup' is a safe example mean that this is a safe
practice in general. I posit that it's a bad idea in general to blindly
run scripts you download from the Internet, and it's especially bad to
do it as root. Depending on how you accept risk, you can choose to do
things about it, but that's often not part of recommendations.
I cannot help but point out that this is moving the goalposts somewhat
from the specific context that I was responding to. If we're now
talking about things in general then I agree with you. In any case,
if you want
to, you can have a workflow where you rebuild configure yourself.
This is true, but then there's the autotools source stuff that you've
got to inspect as well, and on and on. Or perhaps they just cargo-cult it and don't
really think about it, which (I think) hews closer to the argument
that folks here have been making.
That's pretty close to the point I was making originally.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet(a)case.edu http://tiswww.cwru.edu/~chet/
3:25 p.m.
New subject: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux]
On Tue, Feb 28, 2023 at 9:53 AM Chet Ramey <chet.ramey(a)case.edu> wrote:
On 2/27/23 7:28 PM, Dan Cross wrote:
Yes, it is quite clear we were speaking past one another.
- Dan C.
Huh? Rustup is the context that this came up in:
I think if you look back in the thread, you'll find that the message from
segaloco was a reply to a message of mine where I criticized the practice
of piping from `wget' to `sh'. That's the context.
4:03 p.m.
New subject: [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux]
On 2/28/23 10:25 AM, Dan Cross wrote:
On Tue, Feb 28, 2023 at 9:53 AM Chet Ramey
<chet.ramey(a)case.edu> wrote:
OK, let's not do that any more. :-)
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet(a)case.edu http://tiswww.cwru.edu/~chet/
On 2/27/23 7:28 PM, Dan Cross wrote:
Yes, it is quite clear we were speaking past one another. Huh? Rustup is the context that this came up in:
I think if you look back in the thread, you'll find that the message from
segaloco was a reply to a message of mine where I criticized the practice
of piping from `wget' to `sh'. That's the context.
432
days inactive
433
days old
9 comments
3 participants
participants (3)
-
Chet Ramey -
Dan Cross -
Larry McVoy