/srv/irclogs.ubuntu.com/2014/09/22/#ubuntu-us-mi.txt

cmaloneymorning13:32
wolfgermorning13:37
cmaloney RT @laserllama: New idea: kernel extension that makes it impossible to "curl http://example.com/foo.sh | bash"14:03
bookiebothttp://goo.gl/E3erYM - Example Domain14:03
mrgoodca1while i understand the reasoning behind hating that pattern, how many people are really going to read an install script before they run it anyways?14:22
=== mrgoodca1 is now known as mrgoodcat
rick_h_mrgoodcat: I think the idea is to force people writing software to have to look beyond the "just curl/shell it" as an acceptable pattern for install15:22
rick_h_mrgoodcat: so pushing the work back on the dev vs the user15:23
greg-gjust like apt-get won't install a .deb if there are errors, make the people packaging software Do It Right(TM)15:24
jrwren_i can just as eaily make an evil deb that does bad things when you install it.15:25
jrwren_ok, maybe not JUST as easily, but without much more effort.15:25
rick_h_true, we're not saying anything here is protection against bad things15:25
rick_h_however, if you have a deb you had to get it from somewhere, by default that's a signed place.15:25
jrwren_I actually do skim the scripts before I run a curl | bash15:25
jrwren_signed, by me.15:26
greg-gjrwren_: and that would probably not make it through a reasonable review (by eg Debian)15:26
jrwren_I can make my own PPA, all the pkgs signed by me and yet when you install that deb the postinst rm -rf /15:26
jrwren_its not hard to be malicious.15:26
jrwren_greg-g: add-apt-repository ?15:26
greg-gof course, but when we work together and review each other, things get better :)15:26
rick_h_well that's the nice thing about launchpad ppas, at the very least they're built on machines isolated and means the code is in LP and more15:27
jrwren_greg-g: it won't make it into debian or universe, but EASILY into an alt repo.15:27
greg-gjrwren_: of course, there's ways, I didn't say that debs are fool proof15:27
cmaloneyAlso: I can tell when a .deb package was compromised and generally by who15:27
greg-gjrwren_: you're fighting your own strawman15:27
cmaloneya shell script is easier to spoof15:27
jrwren_huh?15:27
jrwren_strawman?15:27
rick_h_can we just agree that curl | sudo bash - is ungood and kill it?15:27
cmaloneyrick_h_: ++15:27
greg-ghttps://en.wikipedia.org/wiki/Straw_man15:27
rick_h_without debating on the flaws of other systems?15:27
bookiebothttp://goo.gl/HJAeOd - Straw man - Wikipedia, the free encyclopedia15:27
jrwren_my point is it is the same ungood as trusting a PPA15:27
jrwren_and we trust PPAs all the time.15:27
greg-gyou might, I don't :)15:28
greg-gbut, I did, and only when I trusted the person :)15:28
jrwren_greg-g: I did not mean to misrepresent anyones point.15:28
jrwren_greg-g: rather, I mean to be saying, YES, AND it is not just curl | bash which is bad, but all these other things too15:28
cmaloneyI just find the whole curl | bash approach to be an anti-pattern15:28
greg-gyou took "Just like apt-get fails on error" == "debs are the epitomy of safe" which wasn't what I was saying15:28
greg-ganyyyyywho15:28
cmaloneyone that has scarily been adopted by many folks15:28
cmaloneynotably Rubyists.15:28
greg-gyeah, gems and even pypi are scary to Opsen15:29
jrwren_greg-g: Say what you mean :p15:29
greg-gjrwren_: I did :)15:29
jrwren_greg-g: ok, then what you said is wrong.15:29
cmaloneyIt's teh same reason we don't automatically open URLs posted in channel in our web browsers.15:29
* greg-g goes to potty before 3.5 hours of meetings15:29
greg-gwhatever dude15:30
greg-gI still think you're missing my point and not admitting it15:30
jrwren_cmaloney: what is that web chat thing that does that for you? 37signals.15:30
jrwren_greg-g: NO, I REALLY did not understand that you meant "apt-get with only trusted repos"15:30
greg-gyou're still just taking it to an extreme which wasn't intended, just as any statement, when taken to an extreme, is wrong.15:30
* greg-g goes15:31
jrwren_greg-g: no, i REALLY did not read into your intent. I'm sorry that I did not.15:31
jrwren_I am slow and stupid. I'm sorry for that.15:31
cmaloneyNow you've gone and pissed off greg-g. :)15:37
cmaloneyI hope you're happy. :)15:37
cmaloneyAnd I haven't used the web chat for 37 signals so if they automatically open any URL that's sent to them then I'd call that a vector. :)15:38
wolfgerI believe this is appropriate to your discussion: http://abstrusegoose.com/47915:38
bookiebothttp://goo.gl/ITNpc - Abstruse Goose | The Beneficence of Others15:38
cmaloneywolfger: I take every breath with the knowledge that it is because someone has not strangled me yet. :)15:40
greg-gI'm no longer pissed off :)15:41
* greg-g drinks more coffee15:41
greg-gIt's not even 9am yet :)15:41
jrwren_i just feel bad for being so dumb, but i'm not dumb enough to not feel bad about it.15:42
greg-gjrwren_: sorry man, I should have responded better anyways15:43
jrwren_greg-g: No sorry needed. Hope your coffee is delicious.15:44
cmaloney.np squeekyhoho15:45
bookiebotsqueekyhoho's current track - New Millennium Cyanide Christ by Meshuggah on Chaosphere15:45
cmaloneyWonder if someone has done a study on programming, odd time signatures, and code quality.15:46
wolfgerHmm. Just had a program check for installed tools, and "umph" wasn't installed. It's also not in the repository. Anybody hear of this before? It seems to be only packaged for Fedora.16:12
cmaloney.np squeekyhoho16:14
bookiebotsqueekyhoho's current track - En Mäktig Här by Finntroll on Ur Jordens Djup16:14
cmaloneyumph?16:14
cmaloneyhttps://code.google.com/p/umph/16:16
bookiebothttp://goo.gl/YeklJH - umph - Command line tool for parsing YouTube feeds - Google Project Hosting16:16
cmaloneyLooks like it hasn't been updated in a while16:16
cmaloneyI'd be suspect of it still working16:16
wolfgergood point16:18
wolfgerIt was being looked for by "NomNom", which I was running just because I have no recollection of what it is. :-p16:18
cmaloneyIf you're looking to download youtube videos I'd highly recommend youtube-dl16:19
cmaloneyit works and is updated frequently.16:19
wolfgerI think I installed NomNom as a general streamripper. There are several good YouTube-specific alternatives.16:21
cmaloneyhttps://www.youtube.com/watch?v=N1vvayRpcEU <- Love this song16:25
bookiebothttp://goo.gl/FJIJtm - Meshuggah - War - YouTube16:25
wolfgercmaloney: Hmm. I was expecting music, not sounds of actual combat. Silly me. ;-)16:27
cmaloneyThat is music. :)16:27
cmaloneyAlso fucking hard to play on the drums. I think they used a drum machine for that.16:27
wolfgerit's hard on the (ear)drums? I agree. :-D16:48
mrgoodcatwow i didnt mean to start an argument and walk away17:59
mrgoodcatmy bad17:59
jrwren_mrgoodcat: lol. <318:02
jrwren_mrgoodcat: I brought up a website that you can curl | bash to do it again for you automatically. :)18:02
greg-g:)18:03
cmaloneyI wrote you an exploit but it was in Javascript.18:14
cmaloneyso I Web8'ed it.18:15
cmaloney(That doesn't even make sense)18:15
wolfgerLOL18:54
wolfgernonsensical, but amusing.18:54
cmaloneyEvening23:12
rick_h_party23:13
mrgoodcathttp://www.wired.com/2014/09/mit-students-face-aggressive-subpoena-demanding-source-code-bitcoin-mining-tool/23:27
bookiebothttp://goo.gl/uTUnRe - MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code | WIRED23:27

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!