[go: up one dir, main page]

|
|
Log in / Subscribe / Register

Rant

Rant

Posted Nov 8, 2018 16:24 UTC (Thu) by jccleaver (guest, #127418)
In reply to: Rant by NAR
Parent article: Limiting the power of package installation in Debian

> LWN itself mentioned the "curl | sudo" pattern, which seems to get more and more popular.

Anyone who runs "curl | sudo" deserves to have their root access taken away.


to post comments

Rant

Posted Nov 8, 2018 18:03 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

Why? This pattern is at least honest, as it shows you that you need to run some code as root. Debian packages do that sneakily.

Rant

Posted Nov 8, 2018 18:40 UTC (Thu) by jccleaver (guest, #127418) [Link] (3 responses)

> Debian packages do that sneakily.

If you think a .deb/.rpm package running a %post script is "sneaky", you might deserve to have your root access taken away too.

Rant

Posted Nov 8, 2018 18:42 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

So how is "curl | sudo" different from adding a repository and doing "apt-get install"?

Rant

Posted Nov 8, 2018 20:36 UTC (Thu) by rweikusat2 (subscriber, #117920) [Link] (1 responses)

This depends on how much the person who created the repository hates you and wants to hurt you. For the most general case, the package you're installing could just contain a script running curl | sudo as root.

Assuming an attempt was made to create sensible packages, one will have the usual benefits of using managed packages, eg, query which packages were installed, which files belong to which packages, update or remove installed packages easily, doing OS updates without "clean reinstalls" etc.

I've extensivley done both in the past and in my opinion, packages are a lot less of a hassle to deal with. YMMV. But it's worth a try.

Rant

Posted Nov 9, 2018 6:27 UTC (Fri) by flussence (guest, #85566) [Link]

>This depends on how much the person who created the repository hates you and wants to hurt you.

In practice it's usually repositories run by billionaire corporations like Microsoft, Google and Valve that are the most likely to hurt you. Repositories where it's an actual person's neck on the line usually have some semblance of QA.

Rant

Posted Nov 8, 2018 21:24 UTC (Thu) by NAR (subscriber, #1313) [Link]

On a single-user desktop it doesn't make much sense...


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds