From what I gather, the only thing they’ve got going for them is that they’re actually contacting key people to try out the distro, as well as timing that campaign to coincide with the EOL of Win10.
But yeah, so annoying to see when there’s so many better alternatives by better people out there.
As for the latter, I haven’t confirmed this myself, but I’ve been hearing that there’s a lot of curling into bash going on, so yeah.
Not sure why exactly, but if I had to guess it’s probably a lack of marketing people in the FOSS world in general.
Recently I’ve only really seen recently the End of 10 campaign from the KDE folks gaining a bit of traction, but even that’s more vaguely pointing in the direction of Linux than anything.
I think they mean using curl to grab something and piping the output to bash so it it executed locally.
And it is pretty common. Things like ohmyzsh use it. I find it scary because you’re running things direct from the web without any package signature architecture. I would trust the omz people but what if their GitHub was compromised? But don’t check any of the source? No. I don’t anyway, but with a bit of fear :/
Even if you check, you should download with curl and check the downloaded file, then run that, as a malicious server could present a normal download to browsers based on user agent and other fingerprinting data, while presenting a malicious script to curl
Wish people would stop suggesting the pipe to bash scripts as an install method but the simplicity of being able to tell all Linux and Mac users to just paste a string into their terminal to install and letting the script deal with any differences between systems is probably why we keep seeing it for major projects, rather than a long list of instructions for different distros
It’s weird how hard that piece of shit is being pushed. Anyone found a backdoor?
From what I gather, the only thing they’ve got going for them is that they’re actually contacting key people to try out the distro, as well as timing that campaign to coincide with the EOL of Win10.
But yeah, so annoying to see when there’s so many better alternatives by better people out there.
As for the latter, I haven’t confirmed this myself, but I’ve been hearing that there’s a lot of curling into bash going on, so yeah.
It’s like Bluesky when Mastodon was sitting right there
Why are the “better people” not advertising as much now? Don’t people understand that advertising is the key to popularity?
Not sure why exactly, but if I had to guess it’s probably a lack of marketing people in the FOSS world in general.
Recently I’ve only really seen recently the End of 10 campaign from the KDE folks gaining a bit of traction, but even that’s more vaguely pointing in the direction of Linux than anything.
I don’t think that’s how that works.
I think they mean using curl to grab something and piping the output to bash so it it executed locally.
And it is pretty common. Things like ohmyzsh use it. I find it scary because you’re running things direct from the web without any package signature architecture. I would trust the omz people but what if their GitHub was compromised? But don’t check any of the source? No. I don’t anyway, but with a bit of fear :/
Even if you check, you should download with curl and check the downloaded file, then run that, as a malicious server could present a normal download to browsers based on user agent and other fingerprinting data, while presenting a malicious script to curl
Wish people would stop suggesting the pipe to bash scripts as an install method but the simplicity of being able to tell all Linux and Mac users to just paste a string into their terminal to install and letting the script deal with any differences between systems is probably why we keep seeing it for major projects, rather than a long list of instructions for different distros
curl <x> | bash
No signature check on the omarchy rarch repo. Even chaotic aur signs their packages.
So malicious Bash, Bind, Kernel, etc…
well with the horribly written bash and curl it includes, wouldn’t surprise me at this point.