tasiaiso/tasiaiso.vulpecula.zone
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

write shit

Browse source
This commit is contained in:
Tasia Iso 2024-05-23 13:50:15 +02:00
parent 8365602311
commit ab76a46060
Signed by: tasiaiso
SSH key fingerprint: SHA256:KiRjUay5C9i6objsEOIycygBHn54pDBB3Lj7fyJ0Elw
5 changed files with 51 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
docs/index.md
View file

@ -78,8 +78,9 @@ If you like my posts, please consider supporting me on [Liberapay](https://liber
## changelog ## changelog
### v1.0.2 (2024-0x-xx) ### v1.0.2 (2024-0x-xx)
- add tea's badge - add tea's badge
- (backend) move scripts to Makefile - move build scripts to a Makefile
### v1.0.1 (2024-05-18) ### v1.0.1 (2024-05-18)

22
docs/posts/curlpipebash.md
View file

@ -3,20 +3,26 @@ date: 2024-05-08
unlisted: false unlisted: false
--- ---
# curl | bash DONE # Using curl | bash safely
> I don't know what I'm doing.
> This is
>
> Take everything I say here with a wheelbarrow of salt. Do your own research. Don't trust *one* random peron on the internet with your infrastructure.
In April of 2024 I wrote [a post](./old-curlpipebash.md) on Fedi explaining that using `curl | bash` was not a security risk.
I based my original argument on the fact that you ultimately have to trust the person that provides you the code.
In April of 2024 I wrote a post on Fedi explaining that using `curl | bash` was not a security risk.
<!-- discuss on ? --> <!-- discuss on ? -->
A bit later, I discussed on the same topic in a Matrix channel. A bit later, I discussed on the same topic in a Matrix channel.
The people involved showed me how it was actually a bit risky to use `curl | bash`. The people involved showed me how it was actually a bit risky to use `curl | bash`.
This is what caused me to do research on the topic and write this post. This is what caused me to do research on the topic and write this post.
<!-- which is true, but *incomplete*. -->
But is it actually dangerous ? But is it actually dangerous ?
Is the cake a lie ? Is the cake a lie ? <!-- ? -->
Well, as you could probably imagine, it turns out that the answer actually is, "it depends". Well, as you could probably imagine, it turns out that the answer actually is, "it depends".
I based my original argument on the fact that you ultimately have to trust the person that provides you the code, which is true, but *incomplete*. I'll talk about what the actual dangers of using `curl | bash` are, and how we can mitigate them.
I'll present to you the actual dangers of using `curl | bash`, and how we can mitigate them.
> TL;DR: If you're here because you just want to download software, go for it. You're *probably* going to be just fine. If you're interested in learning or want to implement a `curl | bash` script however, please read the rest. > TL;DR: If you're here because you just want to download software, go for it. You're *probably* going to be just fine. If you're interested in learning or want to implement a `curl | bash` script however, please read the rest.
@ -123,7 +129,7 @@ An example infrastructure would look like this:
- Signing authority (alternative) - Signing authority (alternative)
- Managed by gitea.com - Managed by gitea.com
<!-- - Hosted by DigitalOcean (Germany) --> <!-- - Hosted by DigitalOcean (Germany) --> TODO
<!-- - OS: NixOS --> <!-- - OS: NixOS -->
<!-- - HTTP server: Nginx --> <!-- - HTTP server: Nginx -->
- Domain: `gitea.com` - Domain: `gitea.com`
@ -168,6 +174,8 @@ else
fi fi
``` ```
This can be minified a bit, but it's more readable like that.
### Updating the script ### Updating the script
When a new artifact is available, the artifact provider has to start hosting it. When a new artifact is available, the artifact provider has to start hosting it.

2
docs/posts/mkdocs-blog.md
View file

@ -3,3 +3,5 @@ unlisted: true
--- ---
# teach how to make this blog in mkdocs # teach how to make this blog in mkdocs
TODO: get a gemini capsule built first

32
docs/posts/old-curlpipebash.md Normal file
View file

@ -0,0 +1,32 @@
---
date: 2024-05-22
unlisted: true
---
# curl | bash: original post
> TODO
> WARNING: this post has been written in April of 2024 because
>
> I put this post here because I had deleted it from fedi before thinking it'd be better to have it available *somewhere*.
>
> Most of the points I made here are valid, but I've realied that as a whole this is bullshit. My tone is unnecessarily heated and
>
> My opinion has since changed; see my newer [blog post](./curlpipebash.md). cya
For those that go crying on social media about an application telling you to `curl | bash` or even to `curl | sudo bash` because you're running arbitrary code as root:
That is useless unless you plan to carefully review and audit every line of code that runs on your computer.
Even if you do install said app, do you actually trust it's code ?
Do you trust it's dependencies ?
What about it's subdependencies ?
There's an infinity of ways to infect an open-source repo with bad code, and some of them are actually scarily easy to perform.
Do you trust that your favorite compression utility doesn't contain code that backdoors freaking ssh (<https://nvd.nist.gov/vuln/detail/CVE-2024-3094>) ?
Do you trust that a script won't remove a critical system directory because of a misplaced space (<https://github.com/MrMEEE/bumblebee-Old-and-abbandoned/issues/123>) ?
Or that an ubiquitous logging library can allow remote code execution because of a bad default configuration (<https://en.m.wikipedia.org/wiki/Log4Shell>) ?
I hope I can get this message stuck deep inside your head and let you know that unless you make your own operating system from scratch (including your free bootloader, kernel, gpu driver and the rest), you have to trust somebody.
And it only takes one mistake to compromise a whole distribution, or even worse.
You have to balance between having a new shiny program and having a new way to get shelled.

1
docs/posts/tulpamancy.md
View file

@ -1,5 +1,4 @@
--- ---
summary: Creating people in your head.
date: 2024-05-08 date: 2024-05-08
unlisted: true unlisted: true
--- ---