• 2 Posts
  • 33 Comments
Joined 4 months ago
cake
Cake day: March 22nd, 2025

help-circle


  • I get all that. What I don’t get is what are you proposing.

    For me it’s obvious that developers will keep providing bash installers and users will keep running them. Everyone knows it’s bad. I see comments about how bad piping scripts from curl to bash is daily yet it’s still being done everywhere. What I described is a good compromise: dev can keep using bash but users get some security. Your solution is to keep complaining about it without doing anything to improve security.

    Or course proper packages are better. Simply knowing this is not fixing anything.




    1. You’re talking about difficulty packaging something not adding something to a distro. Standard installations of Ubuntu, Debian, Fedora, Mint and so on include hundreds of packages. Yes, minimal Arch docker image may be a different story but I think the main distros would accept a tiny package that solves security issues. Of course I don’t know that but I think it would be worth trying. No one is trying to substitute package manager. It’s just a way to make bash installers more secure.

    2. I didn’t say that MD5 is enough. I’m saying that it’s something tarball providers do to offer a slimmer of security. Because it’s well understood that downloading unsigned archive from a webpage is not a secure method of distribution. Bash scripts offer even less security. What I’m describing is a secure method of distributing such scripts.


  • I would say package manager generally has the ability to track version and uninstall packages. That’s why I don’t consider bash scripts a package manager.

    I said that the tool would have to be installed by default on the main distros. I would be a single binary and a man page. I don’t think it would be very difficult to get it included.

    As I explained in another comment I’m not worried about malice of the developer but of a hacker. Bash scripts are not signed in any way, are not verified by anything client side, are not versioned. There’s 0 security. Even tarballs are usually provided with MD5 checksum that you can verify client side. With bash there’s nothing. Central repository would provide a lot. Yes, there could still be bugs in bash but at least you know you’re downloading reviewed, approved, statically checked script that was previously downloaded by 10k people.



  • If you trust the software then why not trust the installation scripts

    I can trust for example rustup but how can I be sure someone didn’t hack and defaced their website? You go to a website and see curl --proto '=https' --tlsv1.2 -sSf https://sh-rustup.rs/ | sh. Can you say if that’s valid? Because it’s not. I changed it. grunt rustup is much easier to verify and it would offer additional checks I described.

    So it will protect you from webpage attacks but you also don’t know how the script uploaded to sh.rustup.rs was verified. Maybe the server was hacked and the script was changed? Are you going to check the MD5 manually. You should but will you do it? Maybe rustup team has weak internal security and someone changed this script without proper review process? Central repo would ensure that review was fallowed.

    And finally, sometimes you don’t really know if you can trust the project. Right now you can just take your chance or not install it at all. With central repo you can at least get some stats and you can do some static analysis server side. In the worst case that you will execute something malicious you can report it and it will be removed. Right now there’s nothing you can do about malicious install script.


  • The problem with a central script repository is that bash scripts are difficult to audit,

    But all the website already use bash scripts. If we cannot stop using bash scripts (and it looks like we can’t) then let’s do it in a more secure way. Bash scripts provided by individual pages are impossible to audit. Bash scripts in a central repo will be possible to audit even if it will be hard.

    So in my opinion, a package manager based on bash

    It’s not a package manager based on bash. It’s secure way to distribute bash scripts that are already being distributed in a insecure way.








  • Small models can only handle limited set of tasks. To cover a lot of different tasks you would need a lot of small models. What DeepSeek did was build a lot of small models with each acting as an expert on one topic (more or less). It’s more energy efficient to train but not necessarily to run as you have to chain a lot of small models to get good results.

    What do people use LLM for? Asking questions you would normally ask Google. Google sucks now so it’s easier to ask ChatGPT. You can also use it for simple tasks like checking text for grammar errors, writing emails and so on.