Heellll no, the scripts are publically available to read over if you’re sketched out. They save you so much time to actually get to using the service. 98% of my homelab is from these same helper scripts too.
RIP tteck
Comment on Proxmox VE Helper-Scripts
atzanteol@sh.itjust.works 1 week ago
Piping scripts directly to bash is a security risk. You can always download the scripts, inspect them and run locally if you so choose.
This entire trend needs to die. Package managers exist. Use them. Shun and shame sites that promote shell script installers.
Burghler@sh.itjust.works 1 week ago
non_burglar@lemmy.world 1 week ago
Have you ever looked at what was once ttek scripts? They’re a spaghetti of calls to other scripts. It’s not pretty.
Burghler@sh.itjust.works 1 week ago
Wtf you’re my opposite D:
I did and had a decent time with ctrl shift F’ing around. Took a moment since bash isn’t my strong suit.
interdimensionalmeme@lemmy.ml 1 week ago
They work so what is your objection ?
If you are worried pipe it into chatgpt with the prompt
“tell me why this script is safe to use”non_burglar@lemmy.world 1 week ago
I thought I was being clear that I have audited some of the scripts. They are built referencing other scripts instead of functions, and these rely on URLs. It’s difficult to follow.
Don’t ask chatgpt to audit code.
atzanteol@sh.itjust.works 1 week ago
You can install with package managers and include with it a helper script to setup the service. No big deal.
But can you spot the difference between
http://myservice.com/script.shandhttp://myserv1ce.com/script.shif you use a font that doesn’t make it clear? If you get people used to just copy/pasting/running scripts then there’s a risk they’ll run something entirely different by accident.There’s no good reason to install things this way.
Burghler@sh.itjust.works 1 week ago
But this is a trusted source with years of credibility. Why would any sensible competent tech user copy paste from other places because this one worked.
You’ll be pissed when you hear about Linux game server manager then. It’s all helper scripts over https
atzanteol@sh.itjust.works 1 week ago
Why would any sensible competent tech user copy paste from other places because this one worked.
Because sites like this and people like you are normalizing the practice. I have seen numerous curl | sh commands pasted on lemmy telling people “how easy it is to install blank”.
interdimensionalmeme@lemmy.ml 1 week ago
Some people have jobs and families to attend and can’t afford weeks figuring out linux idiosyncrasies. This works.
Yes it would be nice to have an official LXC repository, but we don’t
Tell the LXC people we should have had one already instead of splitting hairs with docker.
panda_abyss@lemmy.ca 1 week ago
I don’t like that an adversary could modify that link or its contents without much detection or any logging.
When you compare it to package managers that have immutable versioning that’s a big downfall. If someone were modifying pypi or npm packages I would be surprised if it went undetected.
Realistically is that an issue, probably not. But I do try and reduce my exposure when I can.
frongt@lemmy.zip 1 week ago
Fun fact, a malicious server can detect the difference between you loading the script for inspection in your browser, and you doing
curl | sh, and could serve an entirely different script.atzanteol@sh.itjust.works 1 week ago
Yeah - it’s remarkable that I receive pushback about it. I guess it’s down to the technical immaturity of your average home-gamer vs. people who support Linux systems for a living?
interdimensionalmeme@lemmy.ml 1 week ago
Of course, Linux sysadmin needs linux to remain a ceaseless whirlpool of busywork, that’s what they’re paid for. Imagine having a tool that cuts the bullshit out of using linux, it would put them right out of business if the users could just do the things they want to do without having to beg the middleman.
signalsayge@infosec.pub 1 week ago
That’s why I also self host the scripts I’ve vetted…
deafboy@lemmy.world 1 week ago
Piping scripts directly to bash is a security risk
Nobody has ever explained why. What is the difference between executing a script directly from curl, and adding a repository which downloads a package which contains a script.
atzanteol@sh.itjust.works 1 week ago
The URL can point to a different file. People can post maliciously similar URLs and trick you into running something else.
With a repository you have some semblance of “people have looked at this before”. Packages are signed and it will provide a standard way to uninstall and upgrade in the future.
There’s literally no good reason to replace it with a shell script on a website.
splendoruranium@infosec.pub 1 week ago
There’s literally no good reason to replace it with a shell script on a website.
I fully agree that a package manager repository with all those tools would be preferable, but it doesn’t exist, does it? I mean… content is king. If the only way to get a certain program or functionality is a shell script on a website, then of course that’s what is going to be used.
interdimensionalmeme@lemmy.ml 1 week ago
Here is a good reason
root@proxmox:~# apt install vaulrwarden Reading package lists... Done Building dependency tree... Done Reading state information... Done E: Unable to locate package vaulrwarden root@proxmox:~#
It’s the difference between “it works” and “it doesn’t”
Mondez@lemdro.id 1 week ago
IMO these kinds of poor man’s automation scripts are only useful to novice sysadmins but those are exactly the kind of people who shouldn’t be running scripts they piped from the internet for both the fact that it’s risky behaviour and the fact they don’t then get the experience doing this manually for themselves to move on from being novice.
That said, let’s not gate keep. If novices don’t want to gain experience actually doing sysadmin work and level up their abilities and just want stuff that will probably work but that they’ll not be able to fix easily if it doesn’t, at least it’s a starting point and when things break some of them will look deeper.
atzanteol@sh.itjust.works 1 week ago
That said, let’s not gate keep.
This shouldn’t be an excuse for promoting risky behavior.
interdimensionalmeme@lemmy.ml 1 week ago
I asked repository maintainers and they said “LXC is not for apps” and of course docker is a good way to waste your weekends. So we don’t have repositories, we have scripts.
If you disagree, go tell them
discuss.linuxcontainers.org/t/…/14946
Until then, people who have sacrificed enough of their weekend to the linux gods will be pipe internet text into their root consoles
atzanteol@sh.itjust.works 1 week ago
Until then, people who have sacrificed enough of their weekend to the linux gods will be pipe internet text into their root consoles
“I’ll do what’s easy even if it’s not good” is a terrible approach to, well, anything. I would expect people in this community to look for guidance on what the best way to do things is. Seems I’m wrong.
interdimensionalmeme@lemmy.ml 1 week ago
Well look, the people at helper-scripts, they have done the legwork, often as groups, the probably that you even COULD do a better installation section is already very unlikely … no more than that it’s implausible. These people are more dedicated, they started earlier and they’re already done, you are not going to do a better job than them, even if you tried, by the time you did, which realistically, unless you’re doing linux for money, you probably won’t even finish, but even then by the time you’ve re-invented the entire wheel, they will have progressed further, and there is more of them than there is of you, you will NEVER catch up.
But listen, I hear you, I hear your paranoia, your belief that there are bad people out there out to get you. Well I’m sorry but I have to tell you, those people simply do not care enough to break in to helper-scripts. Even if they did they’d get found out. It hasn’t even happenned yet even though the effort has been a huge success of people just like you coming together and dealing to put an end to the endless linux bullshiterry and making things actually work.
The odds that someone will manage to infiltrate without anyone figuring it out are so low that they are in fact insignificant.
Unless you have the resources of multiple militaries at your disposal, there is simply NO justification from trying to do your own helper-scripts, by yourself and then keep them for yourself. None, it’s mental illness to even attempt.
atzanteol@sh.itjust.works 1 week ago
It’s not just this site though is it? I have been seeing a proliferation of
curl | shellbullshit for some time now. Lots of sites doing it and people are posting those commands in forums, etc. telling others how easy it is to install that shiny piece of software! “But people should know better” I hear you whine, “They should read scripts before executing them.” But we all know people won’t do that. Especially not the sort of people who are arguing in favor of this practice, and certainly not the newbs these are targeted at.
HybridSarcasm@lemmy.world 1 week ago
Apples and oranges.
Package managers only install a package with defaults. These helper scripts are designed to take the user through a final config that isn’t provided by the package defaults.
No need to be elitist about such things.
atzanteol@sh.itjust.works 1 week ago
This is trivially solved by having a “setup” script that is also installed by the package manager.
frongt@lemmy.zip 1 week ago
No, package installers support configuration. Plenty of packages (e.g. postfix) prompt for configuration at install time.
splendoruranium@infosec.pub 1 week ago
Whether there’s a setup wizard doesn’t have anything to do with whether the tool comes from a package manager or not. Run “apt install ddclient”, for example, it’ll immediately guide you through all configuration steps for the program instead of just dumping a binary and some config text files in /etc/.
So that’s not the bottleneck or contradiction here. It’s just very unfortunate that setup wizards are not very popular as soon as you leave Windows and OSX ecosystems.