[clug] How you know your Free or Open Source Software Project is doomed to FAIL

Scott Ferguson scott.ferguson.clug at gmail.com
Wed Jul 29 05:56:11 UTC 2015


On 29/07/15 12:01, Steve Walsh wrote:
> On 07/29/2015 01:55 AM, Scott Ferguson wrote:
>> A list of indicators that may interest some list readers:-
>>
>> http://spot.livejournal.com/308370.html?nojs=1
>>
>> <snip>
> 
> I can't believe he missed
> 
> * uses 'wget --no-check-certificate' to fetch a script from a https
> site, 

I can understand a site using a self-signed certificate (choice) - in
which case the link should lead to a page with instructions on how to
verify the certificate, and add it to the certificate store. Given that
free SSL certs are available which are signed by CAs already in the
default store - I can't understand why someone would be so stupid. I'd
be very reluctant to use their code.

> and pipes directly to /bin/bash [ +200 points of FAIL ]

Words fail me.

Name and Shame?

> 
> 
> 
> 

Maybe you're being a bit harsh. [ +180 points of FAIL]? (for the
--no-check-certificate
But anything over 135 points seems fair

Another [ +180 points of FAIL] for the piping to bash.


I posted the wrong link this morning - apologies, it's rather dated.

This is the current version of that list:-

https://www.theopensourceway.org/wiki/How_to_tell_if_a_FLOSS_project_is_doomed_to_FAIL



Kind regards




More information about the linux mailing list