Hacker News new | past | comments | ask | show | jobs | submit login

You're piping random executables from the internet without even looking at them to see what they do if you run that command.



There's no pipe involved in the GPs posting. It downloads a source file and the post even points out to check the file before compiling. I actually copied and pasted the test code from the original advisory. Should I have typed it in with my own bare fingers to be more secure? I agree with your sentiment in general, you just picked the wrong example to bash here.


I was responding to the later posts who were confused as to why someone would laugh at seeing that. You're right that you said to check and I wasn't trying to bash that post at all.

That aside, I actually did type it into my disposable VM. The theory being that if there was something subtle, it would force me either to type it wrong and not be exploited due to cognitive blindness or I'd catch the problem and avoid it.

I've read too many IOCC entries and I probably am a bit paranoid.


The average Linux IT guy will not read the C code. Many of them wouldn't be able to really understand what it does either. And this is best case code is simple and easy to grok.


If you're not reading the code you can just as well curl-and-pipe it. However, we run so much code on our computers that is trusted-by-association (oh, that's from apache.org, that's probably safe!) that it probably does not matter anyways. 


    > You're piping random executables from the internet
    > without even looking at them to see what they do if you
    > run that command
... and then in your profile:

    > Just another Perl hacker.
You audit every CPAN module you install, line by line, right?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: