Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

On my linux machines, generally, I'll only install software from trusted sources, say rpm repos or ubuntu sources. In this case, yes, I would review the source of this file before running it.

For example, I would notice that it requires apt-get

  echo "Ensuring basic dependencies are installed..."
  apt-get -qq update
  apt-get -qq install lxc wget bsdtar
Then it downloads some binary into /usr/local/bin, at this point, I'd probably configure a VM to review this further.


But would you review the source of Docker too?


I think I get where you're going with this, in that, the burden to run this and review the source is too high, that it almost seems like a waste of time. If that is your point, then I agree with you.

I don't know much about docker, but doing a "curl | sh" peeks my interest, then downloading additional binaries into /usr/local/bin, I'd want to take a closer look. Obviously, this is a case by case review, till it sits well with me. If I was going to run this in production, I'd want to have a really good idea of what this was doing and what to expect, so I'd probably take a closer look at the source if it was not clear from the documentation.


Completely non-judgmentally, it's piques my interest, so you can spell it right next time. (I have the opposite problem: I spell things right and say them wrong.)


I met someone who pronounced "queue" as "kway", as in "I need to go clear my mail kway".

That is all.


Do you reverse engineer your CPU's schematics?

This can go on pretty far - trust is always an eventually unsolvable issue.

There is a certain level of trust that is easy to achieve and easy to get. Trusting dotcloud is easier than trusting everyone on the internet is pink bunny. Happens to be that HTTPS and signing aren't exactly hard either ;-)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: