Hacker News new | comments | show | ask | jobs | submit login
1710 days ago | hide | past | web | favorite

The repo owner was stupid for not checking what they were merging, and the author is stupid for making the pull request in the first place. If they wanted to prove a point, they should have merged something a little less harmful, like "echo This file could have deleted your home folder. Don't run random scripts from the Internet without inspecting them first."

Right. If you are going to troll, do it with something annoying but harmless: download and play an audio file, lock the screen so they have to sign in again, pop open 100 gnome-shells, etc.

Back in the day, the goatse was the preferred method of education.

Rickroll's seem a bit tame comparatively.

Opening 100 gnome shells that will crash my system and make me lose whatever I was working on is NOT harmless.

Wow, how disappointing. And poor title to describe a very bad decision by a human being, not a movement. This has nothing to do with open source, and everything to do with human nature. Someone on the inside of a closed source project with commit rights at a company with a poor review process could just as easily have done this to make some kind of point. Same result.

Furthermore, I can't possibly audit every single line of every open source project I run on my personal machine. Did you review every line of the last distro you installed? A python package installed via pip can just as easily 'rm -r ~' as a bash script can, as can a vim plugin, etc. etc. In the end, it often comes down to trust, and credibility.

What have you done to yours?

What kind of title is this? "Evil Open Source". It has nothing to do with the content. The linked post itself is titled "OMG rm -rf ~ in a valentine bash script and its partly my fault??!?!"

I accidentally downmodded you. But +1, the title has nothing to do with the app. Both people involved are very, very immature.

It also isn't technically Open Source. I didn't see anywhere in the REPO that stated it was Open Source. At best, it's Freeware/Shareware, at worst, you're stealing the author's work by downloading.

Minor nit, but I think it adds to your comment.

What's with "partly" anyway? More like "entirely", regardless of the muppet conspirancy theory

I'm not sure I understand with how you got to "entirely". Yes, his pull request was dangerous but it also reveals how the repo owner would accept just about any pull request you send him. That seems like a major issue. I'm sure both parties involved will not make these mistakes in the future.

I get the impression he was not expecting that pull request to get merged. This was silly, but not malicious. He wasn't trying to delete home directories to prove a point: the point he was making was directed at the repo owner.

Meanwhile, merging that pull request seems downright stupid, but maybe there are mitigating factors I'm not aware of?

Don't issue pull requests that you don't want merged. It's really that simple. The maintainer could easily merge it by accident by absentmindedly clicking the button they normally click in response to well-formed pull requests while thinking they'd rejected it. Maybe they have a cat, or a toddler, who knows?

Don't put your name on stuff you don't want merged.

"Your house is not fire-proof, that's why I burned it."

Congratulations for proving your point by destroying other people's work.

Seriously that's nothing you would expect from a thoughtful person.

"Your house is not fireproof, so to taunt you a bit I'm going to throw some burning matches in your frontyaOH MY GOD WHY DID YOU THROW A BUCKET OF GASOLINE ON THEM?"

This reminds me of the prat that decided to teach me a lesson in PHP security by exploiting my first script & deleting my entire website when I was 15. :(

Lesson learned, and it got me into PHP security, but I can't help but feel there are nicer ways to go about giving such an important lesson...

Like adding a note that he could've deleted all your files. This is just vandalism disguised as a "heads-up."

Sometimes the hard way to learn the lesson is the best way and sometimes a costly mistake by someone is an education for lots of people. It's an unfortunate side of human nature but it's valuable.

My own experience by proxy: A colleague of mine kept everything he owned on a single CDRW. It got put in a Pioneer slot loader. A few seconds later "boom" and the disk shattered into thousands of small pieces. He cried. I, and the 15 other people in the room, learned about keeping backups in multiple locations.

The same thing happens when a seal eats a penguin. Hundreds of other penguins learn to keep away from seals.

If i teach some people websecurity i post some fancy chiptune music from youtube with autoplay. Problem proofed, much cooler, lesson learned. All happy.

It's a shame, the fact that he decided to rm -rf ~ has hijacked the point he was trying to make in the first place. Now everyone's discussing if there's a better way of making his point rather than downloading random scripts on the internet and running them.

And the dramatic irony is: he tried to warn people that bad things can happen if they run scripts without verifying... by doing _exactly_ what he is warning about -- doing malicious stuff to you. It wasn't well thought out, was it?

Lesson: one can make a point without deleting someone's home directory... (or something equally evil)

"In a fit of silliness"

No. Not silly. Not at all.

"I think I was the muppet they got to pull the trigger of the gun they pointed."


~They got me to pull the trigger.~ ~I'm just a muppet.~

No. Not a muppet. Not at all.


Stop being a judgemental ass. He expected the pull request to be read and ignored, not blindly (or maliciously) merged.

If anything is sickening, it's this readiness to assign blame and exaggerate guilt.

> ..not blindly (or maliciously) merged..

Or accidentally.

He saw someone making a careless rookie mistake, who quite obviously didn't really understand what they were doing, and equally obviously didn't understand how dangerous it was, and then deliberately put a live landmine in their way.

He then posted to his blog saying how shocked, amazed and not in any way responsible he was for the resulting explosion.

How would you characterise that?

I disagree, why would you even submit a pull request if you expect it to be ignored. I think the whole point was to write a sensational blog post.

Editors: can we get the title fixed, please? This has nothing whatsoever to do with open source.

So since we're all so busy assigning blame here, who is going to blame the end user for deciding to pipe a script straight from the Internet into a shell, whether directed by a README or not?

Saves the trouble of having to learn how to attack security vulnerabilities if you can simply have the user r00t themselves for you...

Haha. Next time if you are just trying to make a point to the open source maintainer who's supposed to be reviewing your pull request, write the payload but comment it out so it doesn't actually do anything.


I don't know who are crazier here.

Also the owner of the script saying that the person should not made a pull request (and a issue) instead is missing the point, not that I agree with a dangerous pull request (in case the owner of the repository is crazy), but the owner of the repository merging the request just because it was a request (instead of a issue) sounds like someone wishing to shit to happen.

It would be like pushing a wedge into the train tracks and blaming the guy (that also had the bad idea) to put the wedge near the tracks.

Among people gullible enough to download and run executables containing random unknown content, the blogger has now lost some personal credibility, but the good news is the gullible will continue to download and run executables containing random content because they see the story as an individual social norms violation, not a miserable systemic failure. The blogger was successful in that had he not submitted a rm -Rf and then publicized the story, the problem would not be discussed at all, but it was a failure in that the story only resonates with those who already don't care about security.

> Among people gullible enough to download and run executables containing random unknown content

Like Ruby developers, for example?


"curl -L https://get.rvm.io | bash -s stable --ruby"

This is one of my pet peeves of late - so many tools and tutorials advise the user to curl and pipe some script of the net to install and make it work. Why aren't we teaching people to be a little cautious - to download, review and then install? How did developers become so lazy, and so coddled that we desire convenience over security or forethought? Or worse, is it really due to an increasing number of developers who are unable rather than unwilling to review scripts, tools or libraries before use. Do we need a new movement for 'the literate programmer', that emphasises the need to learn than just the core language or framework or ecosystem that they are using?


The Underhanded C Contest was a programming contest to turn out code that is malicious, but passes a rigorous inspection, and looks like an honest mistake. The contest rules define a task, and a malicious component. Entries must perform the task in a malicious manner as defined by the contest, and hide the malice.

In general I don't want to spend time reading source of software I use. If I'm downloading a script from a trusted source, I like to be confident that I'm getting the right script.

That's accomplished by the author publishing a sha256 hash and me following this workflow:

    curl http://scriptname > scriptname.foo
    sha256 scriptname  # visually verify that it looks right from the web site
    chmod 755

Of course, if I'm downloading from an untrusted source, I review the script and any commands I miss.

Note that, e.g., Calibre, has their Linux update procedure to be as follows[1]:

    sudo python -c "import sys; py3 = sys.version_info[0] > 2; u = __import__('urllib.request' if py3 else 'urllib', fromlist=1); exec(u.urlopen('http://status.calibre-ebook.com/linux_installer').read()); main()"
I'm sorry, but I don't see any verifications that calibre has not been rooted and malware installed. It's not HTTPS either, so I won't even get an SSL warning for a MITM attack.

To decode the Python: that command/script downloads a script from the internet without verification, and executes it as root.

[1] http://calibre-ebook.com/download_linux

Scenario: I want to install rvm

I could download their install script, read it through and then proceed to run it


Since I'm trusting rvm not to do any harm in the first place, I might as well use their handy one-liner and install it in one go. Anything they can do in their one-liner they can do to me when I install rvm anyways.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact