`curl | sh` (was Re: [ann] Blog post on Luvit without Luvit)

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: `curl | sh` (was Re: [ann] Blog post on Luvit without Luvit)
From: Peter Aronoff <telemachus@...>
Date: Thu, 5 May 2016 15:20:50 -0400

On Thursday, May 05, 2016 at 11:41AM, Tim Caswell wrote:
> Everything is somewhere on the range between convenience and security.
> I offer two good points on this range.  They are curl-pipe-bash for
> maximum convenience and build from source using GPG signed git tags (over
> ssh or https).
> 
> I don't see added value for anyone in making the convenient option less
> convenient, but no more secure.  What you proposed isn't actually any
> safer really, it just provided a false sense of security.

I apologize if I was unclear, but I meant to be recommending your second
option: download and build from source. As you said in your mail, there are
ways to make building from source more secure through shasums, GPG signing,
etc. That is, I'd rather drop the curl-pipe-bash option altogether.

> Thanks for your two cents.  I'm sorry if I come off as combative and
> I can see you have genuine concern.  I simply disagree that changing
> things will actually improve anything.

You don't seem combative to me at all, though thanks for saying this. For
my part, I hope that I'm not being too much of a pain in the ass. I agree
that we disagree (!), and I'll say briefly where I think the heart of the
disagreement is (I may be wrong about this).

For me, the convenience of `curl | sh` is very real, but it trains people
in bad habits. I worry that someone will take advantage of that habituation
and potentially do a lot of damage. So I'd rather give up the convenience
and train people in better habits. I think that *you* are very trustworthy,
but I worry about teaching people that `curl | sh` is fine. I suspect that
you've decided the trade-off is worth it and that the likelihood of someone
exploiting the `curl | sh` habit is low enough that it's worth it for you
and your users. I can respect that, even if we disagree.

A compromise might be to recommend that people use a tool like curlbash[1]
which is designed to protect against some of the more obvious `curl | sh`
dangers. That would still remove most of the convenience though since
people would need to install curlbash itself first. So probably it's not
a very good compromise from that point of view.

Thanks, Peter

[1] curlbash: https://github.com/silentbicycle/curlbash

-- 
We have not been faced with the need to satisfy someone else's
requirements, and for this freedom we are grateful.
    Dennis Ritchie and Ken Thompson, The UNIX Time-Sharing System

Follow-Ups:
- Re: `curl | sh` (was Re: [ann] Blog post on Luvit without Luvit), Jonathan Goble

References:
- Re: [ann] Blog post on Luvit without Luvit, Tim Caswell
- Re: [ann] Blog post on Luvit without Luvit, Peter Aronoff
- Re: [ann] Blog post on Luvit without Luvit, Tim Caswell

Prev by Date: Re: [ANN] Lua 5.3.3 (rc1) now available
Next by Date: Re: [ANN] Lua 5.3.3 (rc1) now available
Previous by thread: Re: [ann] Blog post on Luvit without Luvit
Next by thread: Re: `curl | sh` (was Re: [ann] Blog post on Luvit without Luvit)
Index(es):
- Date
- Thread