Hacker News new | past | comments | ask | show | jobs | submit login

I mean, untarring a downloaded tarball from somewhere and running `make` is just as dangerous, right? Only there you can make sure the checksum matches, but people skip that step all the time.



Matches against what? If the website is compromised the checksum can be compromised as well.

If the tarball is not pgp signed by the author (e.g. Bazaar and Tor Project do that), checking the checksum is basically checking if the server you’re downloading from didn’t have any silent data corruption (see recent KDE hosting incident), because in transit TCP does its own checksumming anyway.


Running code that you don't trust is a bad idea. But the point of the article is:

* When copying from the web, what you see on the page might not be what ends up in your clipboard,

* When pasting into a terminal, any text with endlines will execute immediately.

As a result, just pasting anything from the web into a terminal window might execute arbitrary code, without any further action on your part.


You should basically compile everything yourself and read all the source code yourself if you want to be secure.

Good luck with that though. (Escpecially with things like, I don't know, browsers.)


My point exactly. No one is ever actually going to read all the code, so you have to start your trust somewhere. Especially if you're going to type `sudo make install` at the end (which is why I advocate things like ~/.local to prevent the need for that, but I digress).


Have you never seen a third-party How To?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: