1. -3

    basically go

    1. 26

      Uh…except that Go has zero of the three “necessary components” called for.

    1. 26

      curl https://getcroc.schollz.com | bash

      And the developer of this project expects me to believe them when they say their project is secure?

      1. 9

        agreed. this is malpractice.

        1. 6

          It’s no worse (in fact slightly better) than downloading an opaque binary, since the entire purpose of the script is to download an opaque binary I don’t see much of an issue.

          I suppose you could quibble about this curl command requires trusting getcroc.shollz.com as well as github.com and whoever uploaded the binary to github.com… but that’s a pretty minor quibble.

          1. 7

            As a disclosure I wrote this at some point when I was annoyed, I think it presents a couple of reasons why this is stupid. https://0x46.net/thoughts/2019/04/27/piping-curl-to-shell/

            1. 4

              I am also not a fan of this way of installation. However your arguments seem to miss this in various ways.

              The first argument boils down to “If you don’t use TLS it’s not secure”. This is true for any downloaded software (unless you download some signatures, which you again have to get in a secure manner).

              Hidden text attack. Again, this is independent of piping to a shell. As soon as you have any kind of example you copy and paste (eg. apt-get install foo, which for example could curl and pipe to bash) this will be true.

              User Agent based attacks are also independent of piping to a shell per se. It can always be switched out. Also if you do a wget or curl directly.

              “A simple matter of not knowing what the script is going to do”. This feels even more true of downloading any kind of binary. A script actually makes this harder for the attacker. You could just curl it and print it. So it makes more sense for an attacker to hide malicious activity in the binary.

              All of these statements are correct and I think this is a great post about various attacks that one should be aware of, but they are correct even for other forms of obtaining software, which is why we should not teach people to only be skeptical of curl https://example.com/script.sh | bash, but any kind of obtaining software without taking caution.

              1. 3

                Standard man-in-the-middle attacks

                This does use TLS.

                Hidden text attacks

                It’s a markdown file in GitHub; it should be pretty safe from that.

                User-Agent based attacks

                The malware could just be included in the binary, which you can’t easily inspect; you’re trusting them either way if you install that. If you don’t want to, there are also instructions for installing it from Homebrew, Scoop, and from source.

                Partial content returned by the server

                The functionality of this script is contained within a function, so it won’t run if you execute it cut off at a part.

                A simple matter of not knowing what the script is going to do

                You can read it; this downloads and installs the program to /usr/local/bin. Also, if you don’t need to know it beforehand, this script prints what it’s doing to the terminal.

                1.  

                  It’s a markdown file in GitHub;

                  Not downloaded from a GitHub url, making it harder to verify.

              2. 2

                I’m assuming a bit of humor regarding the word “securely” in the title is intended, as plenty of things install themselves in this way.

              3. 1

                it works 99.99% of the time

              1. -2

                I am in complete agreement with all points

                  1. 2

                    This doesn’t make much sense, the console is just a GUI with significant limitations. I don’t see any benefit.

                    In fact I think that making ncurses style GUIs inside terminals is an abuse of the tool and we should stop doing that. They should be lower tech and only handle a sequence of lines. If we did this then scrolling wouldn’t break randomly in terminals.

                    1. 9

                      I find it depressing that hackers are still focusing on text-only interfaces rather than getting to a place where graphical interfaces are easy and pleasant to hack on.

                      A graphical interface is a superset of text interfaces. There is literally nothing that can be worse (e.g. just boot up xterm), but so many things can be better.

                      1. 2

                        In principle I’m interested in that (as a user, not much of a developer). But somehow the kind of GUI stuff that appeals to me for similar reasons that terminal-mode stuff does ends up with much shorter half lives. Once you leave both the KDE/Gnome style of GUIs and the browser-as-a-frontend style of GUIs, almost everything else seems to be unmaintained or quickly on the way there. There’s old X11 stuff that’s interesting but rarely looks like it’s been touched in 10 years, and may or may not even compile anymore; likewise for some of the experiments built using imlib/imlib2 back when Enlightenment was more active. There are also some one-offs that get basic maintenance but don’t seem really active as a community; for example the unix port of plan9’s sam does compile and work.

                        The main exception afaict is window managers, where there is still quite a bit of active experimentation with alternative GUI paradigms. Though that’s kind of a weird “meta” level of GUI experimentation, the shell rather than the apps that go inside of it.

                        1. 1

                          With great power comes great responsibility. The superior technical capabilities of a graphical interface allow you to make something better than in a textual interface for sure, but also much worse - and it’s always easier to make something worse. The constraints imposed by a TUI limit how awful an interface can be.

                          1. 0

                            it’s just too difficult to do

                          1. 2

                            This is very important work! Good luck arch devs

                            1. 1

                              think of this like sudo, but inside [a federated web app]

                              but what if this goes wrong?

                              1. 1

                                One of the essential ideas of object-capability theory is that objects may do anything that they are authorized to do. To prevent malicious behavior, limit the authorizations that are granted and the objects that are trusted.

                              1. 2

                                Wow, you can do that??

                                  1. 2

                                    And the underlying technology is solid: a binary protocol very similar to Git.[1] (As opposed to Secure Scuttlebutt, which is tons of encrypted JSON.)

                                    Why is a binary protocol considered solid vs. encrypted JSON? Is SSB not “solid” because it’s JSON? Because it’s encrypted? Because there’s lots of it? I don’t get it. Not to mention the characterisation as “binary protocol very similar to Git” is just wrong. Dat uses protobufs! Git doesn’t!

                                    1. 3

                                      SSB is janky because it’s signed JSON, except the signature is stored inside the JSON and must be the last key in the root object (and the signature is of ‘all JSON text up to this signature’).

                                      Not only is that pointlessly hard to implement for no good reason, it introduces a exciting new ways to mess up signature verification (eg by verifying up to the signature but then allowing additional keys/values after the signature).

                                      1. 1

                                        Sure, but the comparison is “solid: a binary protocol very similar to Git” (which is completely off-base) and “tons of encrypted JSON” – it’s not obvious that a “binary protocol” is somehow better or more ‘solid’ than encrypted JSON. I have issue with the writing being inaccurate in multiple dimensions; I’m not talking about SSB per se.

                                        1. 2

                                          Yeah, that’s sloppy writing.

                                        2. 1

                                          wow. why don’t they fix this?

                                          1. 2

                                            They are, but it’s slow because there are many, many SSB nodes in production, and most of them have very slow internet connections (one of the main selling points of SSB is for use on e.g. a yacht, or remote farm), so you can’t assume anyone will update their software quickly.

                                            In a few years time, there will probably be sensible crypto rolled out across the SSB network.

                                      1. 2

                                        This is a common misconception, it’s actually not good to self host.

                                        1. 3

                                          Oh? Please elaborate.

                                          1. 3

                                            My personal take is you learn more about how well the language handles a variety of use cases by just using it in a variety of use cases. Or sharing it with others that do the same. A compiler is going to test it in more limited ways.

                                            Now, for what makes a good compiler. It should start fast, run fast, and be easy to update. So, the language should make writing compilers easy with a fast executable resulting. A language good for writing compilers even lets you experiment with the new language faster than trying to build it in itself, an imature language.

                                            I encourage CL/Scheme, ML’s, or one of new systems languages.

                                            1. 2

                                              If all you’d write was the compiler itself, then yes you would limit yourself. For Inko there is much more to write, such as a package manager, and maybe one day the web service for that. All of this should act as a good test bed for the language, while also being useful to the (potential) users.

                                              1. 1

                                                It’s true that will work it out a bit more. There’s still no substitute for writing many kinds of apps if assessing how it handles many kinds of apps. Easier for languages people can use while in development: they find some problems for you. I think of it as “many eyeballs” concept applied to language design and testing.

                                          2. 2

                                            “Not good” as in actively harmful, or simply not worth the time and effort?

                                            1. 5

                                              It’s harmful in the sense that you create a loop where your source code depends on a compiled binary. development with this self hosted source/binary pair can be difficult and it’s possible to paint yourself into a corner by accidentally compiling in bugs that are hard to get out (for one example). If you do self-host it’s valuable to maintain a bootstrap path so that you can build the whole system from scratch without depending on a prebuilt version - this means you’re maintaining 2 implementations of your language though (usually a light one that only provides what the compiler needs, and then a full one which has everything).

                                              1. 2

                                                Gotcha, but I hope there aren’t any implementations still in use that completely ditch the bootstrap path. It’s an ancient technique that for sure isn’t necessary today.

                                                FWIW I see value in maintaining two different implementations of a compiler anyway, for testing, agreeing on a specification, etc.

                                                1. 2

                                                  A few high-profile languages/compilers seem to be unbootstrappable according to http://bootstrappable.org/projects.html :(

                                                2. 1

                                                  This is very different from “It’s not actually good to bootstrap”. While bootstrapping has its drawbacks, I believe its benefits outweigh these.

                                                  1. 1

                                                    what are the benefits

                                                    1. 1

                                                      The benefits listed in the article also apply to bootstrapping. It all comes down to eating your own dog food.

                                                      1. 1

                                                        In the article it lists the following as benefits for self hosting:

                                                        String slicing. Concurrency primitives. A unit testing framework. APIs for working with the filesystem. Adding these features to the standard library benefits all users of the language

                                                        But these are not benefits of self hosting. Adding these things may be a side effect of doing the self hosting work but you could just add them without self hosting.

                                                        Performance is also mentioned. You can benchmark your compile on any set of benchmark test programs - a varied set will help much more than one quite specific test program. There is no logical reason why benchmarking a self hosted compiler is necessary to work on performance.

                                                        1. 1

                                                          That list is not the list of benefits, but some of the features necessary to implement a compiler (emphasis mine):

                                                          To write our compiler in our own language, the language must provide the necessary features. Such features might be:

                                                          I recommend (re-)reading the article more carefully, as you appear to have glossed over parts of it.

                                                          1. 1

                                                            so what are the benefits?

                                            1. 2

                                              This video discusses the toolchain bootstrapping problem in the context of building bitcoin software securely.

                                              1. -1

                                                There is no winning an argument with wild accusations like that. Do you think that all the Google engineers are evil and part of a conspiracy?

                                                Maybe Google is doing this, maybe not. But to convince the opposing party we have to take the charitable view and stick to the facts instead. Would you be open to suggestions while also being accused of doing horrible things?

                                                Looking at the Manifest V3, I am seeing a lot of good things that are dearly needed. The most important one is to allow extensions to only get access to pages when they are invoked instead of being able to run on *://*. Most of the changes seem to be related to tightening access to avoid extensions abusing the user like that.

                                                The charitable view is that they went a bit overboard with the features restrictions. Now the Manifest is up for discussion and ad-blockers should ask Google if they can implement the Firefox async API instead. And if not, talk about the specific points why this is a security threat when the read-only access is still accessible.

                                                1. 11

                                                  The engineers don’t get to decide these things, and considering Google is an ads company first and foremost, I don’t think you need to invoke any conspiracy here. It’s pretty clear what Google is doing, we already went through the exact same thing with Microsoft when IE had market dominance. Now is absolutely not the time to give the benefit of the doubt because the consequences of Chrome stomping out every alternative are going to be severe.

                                                  1. -1

                                                    The engineers don’t get to decide these things

                                                    Really? I doubt Google execs are in the business of writing APIs.

                                                    1. 4

                                                      Google execs are precisely who decides on the features that their product has.

                                                      1. 1

                                                        It would be really weird for a manager to dictate the API shape. At minimum this makes all the developers on the Chrome team complicit as they would notice such strange behaviour.

                                                        The best outcome for this would be for Google to change the API back or to adopt the Firefox promise-based one. I don’t see how making wild accusations is helping with that matter.

                                                      2. 4

                                                        Google execs are totally in the business of firing developers who are not willing to write (or remove) the APIs. Or at least having them replaced by other developers who will be more willing.

                                                        Don’t underestimate the persuasive power of a salary.

                                                    2. 9

                                                      Do you think that all the Google engineers are evil and part of a conspiracy?

                                                      From the end of the article:

                                                      To be clear my conclusions are emphatically not “Chrome engineers are out to get ad blockers”

                                                      I don’t think these are wild accusations at all - rather, quite carefully considered opinions.

                                                      1. 7

                                                        Do you think that all the Google engineers are evil and part of a conspiracy?

                                                        The post directly addressed this question.

                                                        1. 2

                                                          Why? Which part?

                                                        1. 2

                                                          fun! the code looks nice and simple too. I’d use this to host a gopher.

                                                          1. 4

                                                            In this article, I’ll explain how to implement return, while, break, continue, try, catch, throw and finally in terms of efficient escape continuations.

                                                            but how do you implement escape continuations?

                                                            1. 3

                                                              There is a separate article for that: http://matt.might.net/articles/cesk-machines/

                                                              1. 1

                                                                thanks. that shows how to do full blown call/cc so it must be lacking all the optimizations that are necessary to make call/ec efficient enough to use as a base for exceptions.

                                                                1. 1

                                                                  Yes, but full call/cc is often fast enough.

                                                            1. 4

                                                              Judging by the source, it’s using a WebRTC API to resolve my LAN IPv4 prefix. I didn’t know that was possible (so thanks for the enlightening article!)

                                                              1. 4

                                                                Hi! Author here. Yes, I forgot to mention that in the post. Perhaps an interesting follow up.

                                                              1. 1

                                                                This approach seems kind of ugly/non-orthogonal, the try macro must shadow return,continue,break. But what if I define another construct? I have to go back and update the try macro to shadow it too?

                                                                1. 1

                                                                  Only if try allows continue/return/break, otherwise the wrapping macros will parse out the return.

                                                                1. 1

                                                                  When writing C you need to check the man page for every function that you use, it will tell you about the values returned when there is an error and you need to check for those and handle them.