Sad to see #rust developers defending the practice of piping CURL into SUDO BASH. Convenience shouldn't trump safety or security.
@postmodern_mod3 In order to seriously have this conversation, we need to first identify the threat model.
-
-
@wycats let's instead focus on the problems of CURL | SUDO BASH.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@wycats 1) cannot review what was curled 2) sudo is only needed for installation, not OS detection or downloading. -
@postmodern_mod3 Can't you curl first, review, then execute? -
@wycats since you provide a single piped command, most users will just copy/paste that. -
@postmodern_mod3 if you ask readers to review, most of them will not. -
@wycats I don't see what's wrong with: curl -o rustup.sh sudo rustup.sh Users can review the file and it leaves a paper trail. -
@wycats users who don't care only have to copy/paste two lines, instead of one.
End of conversation
New conversation -
-
-
@wycats also http://static.rust-lang.org is behind cloudfront, which has Grade B SSL. https://www.ssllabs.com/ssltest/analyze.html?d=static.rust-lang.org&latest …Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@wycats other options might be to only call sudo from within install_package(), or add separate --download/--install options.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.