1. 7
  1.  

  2. 6

    I’m not sure I ‘get’ this - how does it improve over RAID, or RAID in a ZFS pool? It tries to use Samba instead of a RAID controller?

    1. 5

      Its a userspace tool, while RAID/ZFS is kernel space. Each drive is readable on its own without the rest of the pool. There are options on how many different drives to copy each file onto for redundancy, and drives of different sizes are allowed.

    2. 11

      “curl -Ls http://bit.ly/gh-install-package | sudo sh”

      No thanks bye.

      1. 4

        Or just read the script, dl it, then run it. But some people don’t care enough to do that.

        1. 2

          You have the steps out-of-order: You have to download the script, then read it, then run it. If you read the script in the browser before runing the “curl | bash” it could serve different scripts to the different user agents (or after enough hits from one IP, etc.)

        2. 3

          So you trust the strangers that contribute to the package repository you use more so than any other strangers? What makes them different?

          1. 9

            Are you seriously asking why someone would rather install packages from Canonical or Apple instead of sudo executing a script blindly downloaded from bit.ly?

            I’d like to see more projects get called out and shamed for doing this. It’s super dangerous and it’s a stupid idea to get people used to doing it. “I’m blindly sudo executing a script from the internet” should set off huge alarm bells in people’s heads. It shouldn’t be something they’re doing every day.

            1. 2

              But the packages aren’t all made by Apple or Canonical. Surely a package repository is just a centralised spot to run programs from strangers under sudo.

              What centralization can bring is the ability to catch malicious scripts before with their first few strikes, but that hasn’t exactly worked with, for example, Android.

              In the end, you’re still trusting somebody. And I’m not saying blindly execute it, I’m saying there’s a high probability you’re already blindly executing code under sudo. I don’t wish to pressure anybody into installing like asked, simply to say that those “alarm bells” should be going off a bit more, then.

              1. 4

                Right. And that gets back to your original question about trust.

                The answer is “Yes”, I trust Apple and Canonical a whole lot more than a project I’ve never heard of, asking me to sudo execute content pointed to by bit.ly. Not even hosting it on their own page makes it just that much sketchier.

                1. 1

                  That does indeed make sense.

                  Personally I don’t feel the same amount of trust that you do in companies like Apple or Canonical since usually when I install stuff, they’re only the middle-man in this situation, not the origin of the code (for the package and/or the install script).

                  That being said, I seem to implicitly trust people and will download nearly any executable I feel is something I want and doesn’t look too shady. :P

                  Also upon reviewing that script, it seems surprisingly apt-get and yum specific. And bit.ly seems to have been used to shorten a gist URL.

            2. 7
              1. Downloading over an unencrypted, unauthenticated connection. At least with SSL, someone must MITM the connection or hack the endpoint. Over an unencrypted connection, any chucklefuck anywhere between you and whoever you’re talking to can do whatever they want with your connection, and because you’re piping it into a root shell, they can do whatever they want with you.
              2. The script itself downloads a bunch of stuff over http, duplicating the error even if you go to the trouble of downloading ahead-of-time and verifying, or find a secure endpoint to grab it from.
              3. On yum-based systems, it circumvents proper dependencies to install either mysql or mariadb. So not only are you instructed to get it wrong, it then behaves wrong, too, which gives me no confidence in it.
            3. 1

              Requiring root to install software is a horrible anti-affordance we as an industry ought to be working to stamp out. Actually, uid 0 is the real problem, but we have to start somewhere.

              1. 1

                Looks like there’s a “manual installation” section if you’re interested.