[COFF] [TUHS] Re: Generational development [was Re: Re: Early GUI on Linux]
Chet Ramey
chet.ramey at case.edu
Wed Mar 1 00:53:44 AEST 2023
On 2/27/23 7:28 PM, Dan Cross wrote:
> Huh? Rustup is the context that this came up in:
I think if you look back in the thread, you'll find that the message from
segaloco was a reply to a message of mine where I criticized the practice
of piping from `wget' to `sh'. That's the context.
>> But just because you don't run `sudo sh' when using
>> `rustup' doesn't mean there aren't a disturbingly large number of
>> installers -- or whatever -- for which that is the recommended workflow.
>>
>> Nor does the fact that `rustup' is a safe example mean that this is a safe
>> practice in general. I posit that it's a bad idea in general to blindly
>> run scripts you download from the Internet, and it's especially bad to
>> do it as root. Depending on how you accept risk, you can choose to do
>> things about it, but that's often not part of recommendations.
>
> I cannot help but point out that this is moving the goalposts somewhat
> from the specific context that I was responding to. If we're now
> talking about things in general then I agree with you.
We were talking about the general practice before Matt used `rustup' as a
specific example. I'm glad we agree it's a bad idea.
>> In any case, if you want
>> to, you can have a workflow where you rebuild configure yourself.
>
> This is true, but then there's the autotools source stuff that you've
> got to inspect as well, and on and on.
Sure, there's always a limit to where trust takes over. It's ultimately
who you trust to do the packaging: is it your distro/OS vendor, your
package manager (e.g., macports, homebrew), free software distributors
(e.g., signed tar files from gnu.org), or the authors themselves?
> Or perhaps they just cargo-cult it and don't
> really think about it, which (I think) hews closer to the argument
> that folks here have been making.
That's pretty close to the point I was making originally.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet at case.edu http://tiswww.cwru.edu/~chet/
More information about the COFF
mailing list