Sad to see #rust developers defending the practice of piping CURL into SUDO BASH. Convenience shouldn't trump safety or security.
-
-
Replying to @postmodern_mod3
@postmodern_mod3 Inconvenience can often result in unexpectedly worse security when people automate the inconvenient thing.2 replies 0 retweets 0 likes -
Replying to @postmodern_mod3
@postmodern_mod3 I'm not defending anything. Just saying that making things more manual rarely has the desired effect.1 reply 0 retweets 0 likes -
Replying to @wycats
@wycats so when will the `curl -s https://static.rust-lang.org/rustup.sh | sudo sh` be removed? Rust already has nightly binaries.1 reply 0 retweets 0 likes -
Replying to @postmodern_mod3
@postmodern_mod3 What is your suggestion for a solution that will not be automated to execute arbitrary code.2 replies 0 retweets 0 likes -
Replying to @postmodern_mod3
@postmodern_mod3 Downloading a nightly binary and clicking next/next/next is also executing untrusted code with sudo. What is the diff?3 replies 0 retweets 0 likes
@postmodern_mod3 if the server is hacked, which is the vuln vector, the attacker can just upload a new binary with their own sig or no sig
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.