Hacker News new | past | comments | ask | show | jobs | submit login
Bashfill – art for your terminal (max.io)
134 points by yankcrime on July 3, 2017 | hide | past | favorite | 30 comments

Here's a piece I threw together - Stormy beach, use as you may.


Pretty cool. Just a thought - maybe add an endpoint directly to the shell script? Would be cool to be able to simply `curl max.io/...` and see it

Please don't. Why would you want that. Do you really want to put trust in another 3rd party (even if author is great, site can be compromised), just to see some colors in your terminal?

I don't see how do we solve this problem by the way. Most people will always choose convenience over security. And they, as a user, must have some privileges. Even if you ask, they will just go ahead and say yes to get their thing. I understand that. Is there some clever technical fix for this, or do ransomware need to get popular enough to increase users security awareness? It seems to be a really hard problem.

edit: Oh, I'm not very clever, no execution necessary here, just an output from curl. Realized that just after I sent it, but I'm leaving the reply for the second OT part.

This is a discussion that’s been had before and a problem that’s been solved before: https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-p...

As a gist, here’s a quote:

    When you install software on Linux, no matter what package manager you use, you are giving that software permission to act as you.

Most (if not all) legit package managers at least use checksums to reduce the chance of malicious packages getting installed; I'm not sure about others, but I believe pacman (the Arch Linux package manager) also refuses to install packages from unless you've imported the GPG key of the distributor. This isn't to say that package managers are completely safe (nothing is), but there are fairly significant differences between using a Linux package manager and piping a script from the internet to be executed.

The owner of the website could sign responses, and you could verify them, in addition to TLS via HTTPS. I think that can make it at least as secure as package management systems.

Yep, I agree. Providing checksums for scripts to curl isn't the the norm from what I've seen, though, which I think fits in with what GP (of my original comment) was saying. Also, I'm not super convinced that most users would bother verifying the checksum; from what I've seen, most people downloading Linux distro images don't even bother verifying the checksums that are provided.

I'd be great if something like hashpipe could become standard on Linux for this purpose.

See https://news.ycombinator.com/item?id=9318286

This is really cool! I hadn't heard of it before

That article is mixing up "is it safe to do that from us?" and "is it safe to do that?". Do it from another vendor that isn't using https and all their reassurances about the method evaporate. Simply put: the method is bad; it's only when you use a bunch of mitigating actions that it becomes 'not bad'.

Kind of unrelated but I wish I could do `curl http://example.com/evil-script.sh | vim | bash` and have vim stop the pipe if I :q! or proceed to forward stdin to stdout if I :wq.

That's what `vipe` is for: https://joeyh.name/code/moreutils/

I choose convenience over security. And so do you. You didn't read every line of every software you use,because it's not convenient.

I thought about that, but then I'd need to support it server side, and right now it's just a static page. For convenience I made you this (requires node): https://github.com/binarymax/bashfill/blob/master/zip2bash.j...

So you can run './zip2bash.js $somebashfillurl | bash' to light it up.

For some pretty art on your terminal (this command isn't going to delete anything):

    yes "$(seq 231 -1 16)" | while read i; do printf "\x1b[48;5;${i}mHi $USER\n"; sleep .02; done
Warning: pretty psychedelic colors ^^

One can always open run this in bash running in a Docker image like so:

  docker run -it ubuntu /bin/bash

True, but remember the wise words of Dan Walsh "Containers Don't Contain" in that if you run as root inside of a container without careful consideration, bad users can absolutely break out, just like in a chroot.



In newer docker, the defaults are really good, but even then, it is worth reading up.

Interesting. Thank you.

If you want to generate html, say for converting to an email you can use http://www.pixelbeat.org/scripts/ansi2html.sh

For example:

    your_script | ansi2html.sh --bg=dark > blah.html

    your_script | ansi2html.sh | mail -a "Content-Type: text/html" Your@email.com

Very cool, can we have image import feature too :)

Perhaps you can use my command line image printer for something like that: https://github.com/Tenzer/explosion.

You might be interested by img2txt (https://github.com/hit9/img2txt) or libcaca (http://caca.zoy.org/wiki/libcaca). There are a lot of resources in this old HN thread too: https://news.ycombinator.com/item?id=7776112

Howdy all. I posted this on lobste.rs and it kinda took off. Glad to see it here again after all these years.

Ask me anything. And feature/pull requests can be made here: https://github.com/binarymax/bashfill

Happy bashfilling!

Neat! Just wish I could draw something worth while...

pretty cool, can you make the blocks smaller though improve detail?

You can’t. It uses characters for pixels so you have either scale up your terminal or use a graphical image display.

You can use braille unicode characters for sub-character dots as in https://github.com/rastapasta/mapscii

Yes but you can’t use different colors for different dots in the same character.

If you know that you'll be zoomed way out, and have a big screen, you can fork it and change the dimensions. Terms are 80x23. I made it 40x23 to get squareish blocks. Feel free to go crazy with the dimensions and try it out.

That would be interesting, but first you'd have to write a new terminal type. And then there would be... another step or two.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact