Email or username:

Password:

Forgot your password?
Hector's posts Post Back to profile
Top-level
Eric Curtin

@marcan the one flow I can think of where it might break is if you lose your connection mid-delivery of the file, although I have not tested this. Could execute half a script.

But yes I agree, if you don't trust TLS, we might as well just deem https in general insecure.

23 May at 12:21 | Wall-to-wall | Open on social.treehouse.systems
3 comments
Eric Curtin

@marcan the other benefit of a package (rpm) say from Fedora, not anyone can become a Fedora packager, you need a sponsor who trusts you. This could potentially be obtained via social engineering of course.

But of course in this case it's a macOS installer and I don't know how auditing brew packagers works 😊

But I generally agree some of the arguments around curl|sh are silly

23 May at 12:24 | Open on social.treehouse.systems
mei

@ecurtin @marcan the general idiom I’ve seen is to have the script consist of only function definitions, followed by a call to main

23 May at 12:28 | Open on donotsta.re
Hector Martin

@ecurtin That's why we have a truncation guard (but even before we had it, I'm pretty sure for any arbitrary truncation point you could pick nothing bad would happen, given the simplicity of the bootstrap script).

23 May at 13:09 | Open on social.treehouse.systems
Go Up