[COFF] [TUHS] Generational development [was Re: Re: Early GUI on Linux]
Dan Cross
crossd at gmail.com
Tue Feb 28 08:07:32 AEST 2023
On Mon, Feb 27, 2023 at 4:52 PM Michael Stiller <mstiller at me.com> wrote:
> > I find this a little odd. If I go back to O'Reilly books from the
> > early 90s, there was advice to do all sorts of suspect things in them,
> > such as fetching random bits of pieces from random FTP servers (or
> > even using email fetch tarballs [!!]). Or downloading shell archives
> > from USENET.
> >
> > And of course you _can_ download the script and read through it if you want.
>
> This does not help, you can detect that on the server and send something else.
What? You've already downloaded the script. Once it's on your local
machine, why would you download it again?
> https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
If I really wanted to see whether it had been tampered with, perhaps
spin up a sacrificial machine and run,
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | tee the.script | sh
and compare to the output of,
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs >
the.script.nopipeshell
- Dan C.
More information about the COFF
mailing list