Furthermore, I can't possibly audit every single line of every open source project I run on my personal machine. Did you review every line of the last distro you installed? A python package installed via pip can just as easily 'rm -r ~' as a bash script can, as can a vim plugin, etc. etc. In the end, it often comes down to trust, and credibility.
What have you done to yours?
Minor nit, but I think it adds to your comment.
Meanwhile, merging that pull request seems downright stupid, but maybe there are mitigating factors I'm not aware of?
Don't put your name on stuff you don't want merged.
Congratulations for proving your point by destroying other people's work.
Seriously that's nothing you would expect from a thoughtful person.
Lesson learned, and it got me into PHP security, but I can't help but feel there are nicer ways to go about giving such an important lesson...
My own experience by proxy: A colleague of mine kept everything he owned on a single CDRW. It got put in a Pioneer slot loader. A few seconds later "boom" and the disk shattered into thousands of small pieces. He cried. I, and the 15 other people in the room, learned about keeping backups in multiple locations.
The same thing happens when a seal eats a penguin. Hundreds of other penguins learn to keep away from seals.
And the dramatic irony is: he tried to warn people that bad things can happen if they run scripts without verifying... by doing _exactly_ what he is warning about -- doing malicious stuff to you. It wasn't well thought out, was it?
Lesson: one can make a point without deleting someone's home directory... (or something equally evil)
No. Not silly. Not at all.
"I think I was the muppet they got to pull the trigger of the gun they pointed."
~They got me to pull the trigger.~
~I'm just a muppet.~
No. Not a muppet. Not at all.
If anything is sickening, it's this readiness to assign blame and exaggerate guilt.
He saw someone making a careless rookie mistake, who quite obviously didn't really understand what they were doing, and equally obviously didn't understand how dangerous it was, and then deliberately put a live landmine in their way.
He then posted to his blog saying how shocked, amazed and not in any way responsible he was for the resulting explosion.
How would you characterise that?
Saves the trouble of having to learn how to attack security vulnerabilities if you can simply have the user r00t themselves for you...
The real lesson here is DON'T MERGE PULL REQUESTS YOU HAVEN'T LOOKED AT.
Also the owner of the script saying that the person should not made a pull request (and a issue) instead is missing the point, not that I agree with a dangerous pull request (in case the owner of the repository is crazy), but the owner of the repository merging the request just because it was a request (instead of a issue) sounds like someone wishing to shit to happen.
It would be like pushing a wedge into the train tracks and blaming the guy (that also had the bad idea) to put the wedge near the tracks.
Like Ruby developers, for example?
"curl -L https://get.rvm.io | bash -s stable --ruby"
The Underhanded C Contest was a programming contest to turn out code that is malicious, but passes a rigorous inspection, and looks like an honest mistake. The contest rules define a task, and a malicious component. Entries must perform the task in a malicious manner as defined by the contest, and hide the malice.
That's accomplished by the author publishing a sha256 hash and me following this workflow:
curl http://scriptname > scriptname.foo
sha256 scriptname # visually verify that it looks right from the web site
Note that, e.g., Calibre, has their Linux update procedure to be as follows:
sudo python -c "import sys; py3 = sys.version_info > 2; u = __import__('urllib.request' if py3 else 'urllib', fromlist=1); exec(u.urlopen('http://status.calibre-ebook.com/linux_installer').read()); main()"
To decode the Python: that command/script downloads a script from the internet without verification, and executes it as root.
I could download their install script, read it through and then proceed to run it
Since I'm trusting rvm not to do any harm in the first place, I might as well use their handy one-liner and install it in one go. Anything they can do in their one-liner they can do to me when I install rvm anyways.