[13:32] <cmaloney> morning
[13:37] <wolfger> morning
[14:03] <cmaloney>  RT @laserllama: New idea: kernel extension that makes it impossible to "curl http://example.com/foo.sh | bash"
[14:03] <bookiebot> http://goo.gl/E3erYM - Example Domain
[14:22] <mrgoodca1> while i understand the reasoning behind hating that pattern, how many people are really going to read an install script before they run it anyways?
[15:22] <rick_h_> mrgoodcat: I think the idea is to force people writing software to have to look beyond the "just curl/shell it" as an acceptable pattern for install
[15:23] <rick_h_> mrgoodcat: so pushing the work back on the dev vs the user
[15:24] <greg-g> just like apt-get won't install a .deb if there are errors, make the people packaging software Do It Right(TM)
[15:25] <jrwren_> i can just as eaily make an evil deb that does bad things when you install it.
[15:25] <jrwren_> ok, maybe not JUST as easily, but without much more effort.
[15:25] <rick_h_> true, we're not saying anything here is protection against bad things
[15:25] <rick_h_> however, if you have a deb you had to get it from somewhere, by default that's a signed place.
[15:25] <jrwren_> I actually do skim the scripts before I run a curl | bash
[15:26] <jrwren_> signed, by me.
[15:26] <greg-g> jrwren_: and that would probably not make it through a reasonable review (by eg Debian)
[15:26] <jrwren_> I can make my own PPA, all the pkgs signed by me and yet when you install that deb the postinst rm -rf /
[15:26] <jrwren_> its not hard to be malicious.
[15:26] <jrwren_> greg-g: add-apt-repository ?
[15:26] <greg-g> of course, but when we work together and review each other, things get better :)
[15:27] <rick_h_> well that's the nice thing about launchpad ppas, at the very least they're built on machines isolated and means the code is in LP and more
[15:27] <jrwren_> greg-g: it won't make it into debian or universe, but EASILY into an alt repo.
[15:27] <greg-g> jrwren_: of course, there's ways, I didn't say that debs are fool proof
[15:27] <cmaloney> Also: I can tell when a .deb package was compromised and generally by who
[15:27] <greg-g> jrwren_: you're fighting your own strawman
[15:27] <cmaloney> a shell script is easier to spoof
[15:27] <jrwren_> huh?
[15:27] <jrwren_> strawman?
[15:27] <rick_h_> can we just agree that curl | sudo bash - is ungood and kill it?
[15:27] <cmaloney> rick_h_: ++
[15:27] <greg-g> https://en.wikipedia.org/wiki/Straw_man
[15:27] <rick_h_> without debating on the flaws of other systems?
[15:27] <bookiebot> http://goo.gl/HJAeOd - Straw man - Wikipedia, the free encyclopedia
[15:27] <jrwren_> my point is it is the same ungood as trusting a PPA
[15:27] <jrwren_> and we trust PPAs all the time.
[15:28] <greg-g> you might, I don't :)
[15:28] <greg-g> but, I did, and only when I trusted the person :)
[15:28] <jrwren_> greg-g: I did not mean to misrepresent anyones point.
[15:28] <jrwren_> greg-g: rather, I mean to be saying, YES, AND it is not just curl | bash which is bad, but all these other things too
[15:28] <cmaloney> I just find the whole curl | bash approach to be an anti-pattern
[15:28] <greg-g> you took "Just like apt-get fails on error" == "debs are the epitomy of safe" which wasn't what I was saying
[15:28] <greg-g> anyyyyywho
[15:28] <cmaloney> one that has scarily been adopted by many folks
[15:28] <cmaloney> notably Rubyists.
[15:29] <greg-g> yeah, gems and even pypi are scary to Opsen
[15:29] <jrwren_> greg-g: Say what you mean :p
[15:29] <greg-g> jrwren_: I did :)
[15:29] <jrwren_> greg-g: ok, then what you said is wrong.
[15:29] <cmaloney> It's teh same reason we don't automatically open URLs posted in channel in our web browsers.
[15:29]  * greg-g goes to potty before 3.5 hours of meetings
[15:30] <greg-g> whatever dude
[15:30] <greg-g> I still think you're missing my point and not admitting it
[15:30] <jrwren_> cmaloney: what is that web chat thing that does that for you? 37signals.
[15:30] <jrwren_> greg-g: NO, I REALLY did not understand that you meant "apt-get with only trusted repos"
[15:30] <greg-g> you're still just taking it to an extreme which wasn't intended, just as any statement, when taken to an extreme, is wrong.
[15:31]  * greg-g goes
[15:31] <jrwren_> greg-g: no, i REALLY did not read into your intent. I'm sorry that I did not.
[15:31] <jrwren_> I am slow and stupid. I'm sorry for that.
[15:37] <cmaloney> Now you've gone and pissed off greg-g. :)
[15:37] <cmaloney> I hope you're happy. :)
[15:38] <cmaloney> And I haven't used the web chat for 37 signals so if they automatically open any URL that's sent to them then I'd call that a vector. :)
[15:38] <wolfger> I believe this is appropriate to your discussion: http://abstrusegoose.com/479
[15:38] <bookiebot> http://goo.gl/ITNpc - Abstruse Goose | The Beneficence of Others
[15:40] <cmaloney> wolfger: I take every breath with the knowledge that it is because someone has not strangled me yet. :)
[15:41] <greg-g> I'm no longer pissed off :)
[15:41]  * greg-g drinks more coffee
[15:41] <greg-g> It's not even 9am yet :)
[15:42] <jrwren_> i just feel bad for being so dumb, but i'm not dumb enough to not feel bad about it.
[15:43] <greg-g> jrwren_: sorry man, I should have responded better anyways
[15:44] <jrwren_> greg-g: No sorry needed. Hope your coffee is delicious.
[15:45] <cmaloney> .np squeekyhoho
[15:45] <bookiebot> squeekyhoho's current track - New Millennium Cyanide Christ by Meshuggah on Chaosphere
[15:46] <cmaloney> Wonder if someone has done a study on programming, odd time signatures, and code quality.
[16:12] <wolfger> Hmm. Just had a program check for installed tools, and "umph" wasn't installed. It's also not in the repository. Anybody hear of this before? It seems to be only packaged for Fedora.
[16:14] <cmaloney> .np squeekyhoho
[16:14] <bookiebot> squeekyhoho's current track - En Mäktig Här by Finntroll on Ur Jordens Djup
[16:14] <cmaloney> umph?
[16:16] <cmaloney> https://code.google.com/p/umph/
[16:16] <bookiebot> http://goo.gl/YeklJH - umph - Command line tool for parsing YouTube feeds - Google Project Hosting
[16:16] <cmaloney> Looks like it hasn't been updated in a while
[16:16] <cmaloney> I'd be suspect of it still working
[16:18] <wolfger> good point
[16:18] <wolfger> It was being looked for by "NomNom", which I was running just because I have no recollection of what it is. :-p
[16:19] <cmaloney> If you're looking to download youtube videos I'd highly recommend youtube-dl
[16:19] <cmaloney> it works and is updated frequently.
[16:21] <wolfger> I think I installed NomNom as a general streamripper. There are several good YouTube-specific alternatives.
[16:25] <cmaloney> https://www.youtube.com/watch?v=N1vvayRpcEU <- Love this song
[16:25] <bookiebot> http://goo.gl/FJIJtm - Meshuggah - War - YouTube
[16:27] <wolfger> cmaloney: Hmm. I was expecting music, not sounds of actual combat. Silly me. ;-)
[16:27] <cmaloney> That is music. :)
[16:27] <cmaloney> Also fucking hard to play on the drums. I think they used a drum machine for that.
[16:48] <wolfger> it's hard on the (ear)drums? I agree. :-D
[17:59] <mrgoodcat> wow i didnt mean to start an argument and walk away
[17:59] <mrgoodcat> my bad
[18:02] <jrwren_> mrgoodcat: lol. <3
[18:02] <jrwren_> mrgoodcat: I brought up a website that you can curl | bash to do it again for you automatically. :)
[18:03] <greg-g> :)
[18:14] <cmaloney> I wrote you an exploit but it was in Javascript.
[18:15] <cmaloney> so I Web8'ed it.
[18:15] <cmaloney> (That doesn't even make sense)
[18:54] <wolfger> LOL
[18:54] <wolfger> nonsensical, but amusing.
[23:12] <cmaloney> Evening
[23:13] <rick_h_> party
[23:27] <mrgoodcat> http://www.wired.com/2014/09/mit-students-face-aggressive-subpoena-demanding-source-code-bitcoin-mining-tool/
[23:27] <bookiebot> http://goo.gl/uTUnRe - MIT Students Battle State's Demand for Their Bitcoin Miner's Source Code | WIRED