| cmaloney | morning | 13:32 |
|---|---|---|
| wolfger | morning | 13:37 |
| cmaloney | RT @laserllama: New idea: kernel extension that makes it impossible to "curl http://example.com/foo.sh | bash" | 14:03 |
| bookiebot | http://goo.gl/E3erYM - Example Domain | 14:03 |
| mrgoodca1 | while i understand the reasoning behind hating that pattern, how many people are really going to read an install script before they run it anyways? | 14:22 |
| === mrgoodca1 is now known as mrgoodcat | ||
| rick_h_ | mrgoodcat: I think the idea is to force people writing software to have to look beyond the "just curl/shell it" as an acceptable pattern for install | 15:22 |
| rick_h_ | mrgoodcat: so pushing the work back on the dev vs the user | 15:23 |
| greg-g | just like apt-get won't install a .deb if there are errors, make the people packaging software Do It Right(TM) | 15:24 |
| jrwren_ | i can just as eaily make an evil deb that does bad things when you install it. | 15:25 |
| jrwren_ | ok, maybe not JUST as easily, but without much more effort. | 15:25 |
| rick_h_ | true, we're not saying anything here is protection against bad things | 15:25 |
| rick_h_ | however, if you have a deb you had to get it from somewhere, by default that's a signed place. | 15:25 |
| jrwren_ | I actually do skim the scripts before I run a curl | bash | 15:25 |
| jrwren_ | signed, by me. | 15:26 |
| greg-g | jrwren_: and that would probably not make it through a reasonable review (by eg Debian) | 15:26 |
| jrwren_ | I can make my own PPA, all the pkgs signed by me and yet when you install that deb the postinst rm -rf / | 15:26 |
| jrwren_ | its not hard to be malicious. | 15:26 |
| jrwren_ | greg-g: add-apt-repository ? | 15:26 |
| greg-g | of course, but when we work together and review each other, things get better :) | 15:26 |
| rick_h_ | well that's the nice thing about launchpad ppas, at the very least they're built on machines isolated and means the code is in LP and more | 15:27 |
| jrwren_ | greg-g: it won't make it into debian or universe, but EASILY into an alt repo. | 15:27 |
| greg-g | jrwren_: of course, there's ways, I didn't say that debs are fool proof | 15:27 |
| cmaloney | Also: I can tell when a .deb package was compromised and generally by who | 15:27 |
| greg-g | jrwren_: you're fighting your own strawman | 15:27 |
| cmaloney | a shell script is easier to spoof | 15:27 |
| jrwren_ | huh? | 15:27 |
| jrwren_ | strawman? | 15:27 |
| rick_h_ | can we just agree that curl | sudo bash - is ungood and kill it? | 15:27 |
| cmaloney | rick_h_: ++ | 15:27 |
| greg-g | https://en.wikipedia.org/wiki/Straw_man | 15:27 |
| rick_h_ | without debating on the flaws of other systems? | 15:27 |
| bookiebot | http://goo.gl/HJAeOd - Straw man - Wikipedia, the free encyclopedia | 15:27 |
| jrwren_ | my point is it is the same ungood as trusting a PPA | 15:27 |
| jrwren_ | and we trust PPAs all the time. | 15:27 |
| greg-g | you might, I don't :) | 15:28 |
| greg-g | but, I did, and only when I trusted the person :) | 15:28 |
| jrwren_ | greg-g: I did not mean to misrepresent anyones point. | 15:28 |
| jrwren_ | greg-g: rather, I mean to be saying, YES, AND it is not just curl | bash which is bad, but all these other things too | 15:28 |
| cmaloney | I just find the whole curl | bash approach to be an anti-pattern | 15:28 |
| greg-g | you took "Just like apt-get fails on error" == "debs are the epitomy of safe" which wasn't what I was saying | 15:28 |
| greg-g | anyyyyywho | 15:28 |
| cmaloney | one that has scarily been adopted by many folks | 15:28 |
| cmaloney | notably Rubyists. | 15:28 |
| greg-g | yeah, gems and even pypi are scary to Opsen | 15:29 |
| jrwren_ | greg-g: Say what you mean :p | 15:29 |
| greg-g | jrwren_: I did :) | 15:29 |
| jrwren_ | greg-g: ok, then what you said is wrong. | 15:29 |
| cmaloney | It's teh same reason we don't automatically open URLs posted in channel in our web browsers. | 15:29 |
| * greg-g goes to potty before 3.5 hours of meetings | 15:29 | |
| greg-g | whatever dude | 15:30 |
| greg-g | I still think you're missing my point and not admitting it | 15:30 |
| jrwren_ | cmaloney: what is that web chat thing that does that for you? 37signals. | 15:30 |
| jrwren_ | greg-g: NO, I REALLY did not understand that you meant "apt-get with only trusted repos" | 15:30 |
| greg-g | you're still just taking it to an extreme which wasn't intended, just as any statement, when taken to an extreme, is wrong. | 15:30 |
| * greg-g goes | 15:31 | |
| jrwren_ | greg-g: no, i REALLY did not read into your intent. I'm sorry that I did not. | 15:31 |
| jrwren_ | I am slow and stupid. I'm sorry for that. | 15:31 |
| cmaloney | Now you've gone and pissed off greg-g. :) | 15:37 |
| cmaloney | I hope you're happy. :) | 15:37 |
| cmaloney | And I haven't used the web chat for 37 signals so if they automatically open any URL that's sent to them then I'd call that a vector. :) | 15:38 |
| wolfger | I believe this is appropriate to your discussion: http://abstrusegoose.com/479 | 15:38 |
| bookiebot | http://goo.gl/ITNpc - Abstruse Goose | The Beneficence of Others | 15:38 |
| cmaloney | wolfger: I take every breath with the knowledge that it is because someone has not strangled me yet. :) | 15:40 |
| greg-g | I'm no longer pissed off :) | 15:41 |
| * greg-g drinks more coffee | 15:41 | |
| greg-g | It's not even 9am yet :) | 15:41 |
| jrwren_ | i just feel bad for being so dumb, but i'm not dumb enough to not feel bad about it. | 15:42 |
| greg-g | jrwren_: sorry man, I should have responded better anyways | 15:43 |
| jrwren_ | greg-g: No sorry needed. Hope your coffee is delicious. | 15:44 |
| cmaloney | .np squeekyhoho | 15:45 |
| bookiebot | squeekyhoho's current track - New Millennium Cyanide Christ by Meshuggah on Chaosphere | 15:45 |
| cmaloney | Wonder if someone has done a study on programming, odd time signatures, and code quality. | 15:46 |
| wolfger | Hmm. Just had a program check for installed tools, and "umph" wasn't installed. It's also not in the repository. Anybody hear of this before? It seems to be only packaged for Fedora. | 16:12 |
| cmaloney | .np squeekyhoho | 16:14 |
| bookiebot | squeekyhoho's current track - En Mäktig Här by Finntroll on Ur Jordens Djup | 16:14 |
| cmaloney | umph? | 16:14 |
| cmaloney | https://code.google.com/p/umph/ | 16:16 |
| bookiebot | http://goo.gl/YeklJH - umph - Command line tool for parsing YouTube feeds - Google Project Hosting | 16:16 |
| cmaloney | Looks like it hasn't been updated in a while | 16:16 |
| cmaloney | I'd be suspect of it still working | 16:16 |
| wolfger | good point | 16:18 |
| wolfger | It was being looked for by "NomNom", which I was running just because I have no recollection of what it is. :-p | 16:18 |
| cmaloney | If you're looking to download youtube videos I'd highly recommend youtube-dl | 16:19 |
| cmaloney | it works and is updated frequently. | 16:19 |
| wolfger | I think I installed NomNom as a general streamripper. There are several good YouTube-specific alternatives. | 16:21 |
| cmaloney | https://www.youtube.com/watch?v=N1vvayRpcEU <- Love this song | 16:25 |
| bookiebot | http://goo.gl/FJIJtm - Meshuggah - War - YouTube | 16:25 |
| wolfger | cmaloney: Hmm. I was expecting music, not sounds of actual combat. Silly me. ;-) | 16:27 |
| cmaloney | That is music. :) | 16:27 |
| cmaloney | Also fucking hard to play on the drums. I think they used a drum machine for that. | 16:27 |
| wolfger | it's hard on the (ear)drums? I agree. :-D | 16:48 |
| mrgoodcat | wow i didnt mean to start an argument and walk away | 17:59 |
| mrgoodcat | my bad | 17:59 |
| jrwren_ | mrgoodcat: lol. <3 | 18:02 |
| jrwren_ | mrgoodcat: I brought up a website that you can curl | bash to do it again for you automatically. :) | 18:02 |
| greg-g | :) | 18:03 |
| cmaloney | I wrote you an exploit but it was in Javascript. | 18:14 |
| cmaloney | so I Web8'ed it. | 18:15 |
| cmaloney | (That doesn't even make sense) | 18:15 |
| wolfger | LOL | 18:54 |
| wolfger | nonsensical, but amusing. | 18:54 |
| cmaloney | Evening | 23:12 |
| rick_h_ | party | 23:13 |
| mrgoodcat | http://www.wired.com/2014/09/mit-students-face-aggressive-subpoena-demanding-source-code-bitcoin-mining-tool/ | 23:27 |
| bookiebot | http://goo.gl/uTUnRe - MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code | WIRED | 23:27 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!