[clug] How you know your Free or Open Source Software Project is doomed to FAIL

James Ring sjr at jdns.org
Wed Jul 29 16:43:54 UTC 2015


On Tue, Jul 28, 2015 at 10:56 PM, Scott Ferguson
<scott.ferguson.clug at gmail.com> wrote:
> On 29/07/15 12:01, Steve Walsh wrote:
>> On 07/29/2015 01:55 AM, Scott Ferguson wrote:
>>> A list of indicators that may interest some list readers:-
>>>
>>> http://spot.livejournal.com/308370.html?nojs=1
>>>
>>> <snip>
>>
>> I can't believe he missed
>>
>> * uses 'wget --no-check-certificate' to fetch a script from a https
>> site,
>
> I can understand a site using a self-signed certificate (choice) - in
> which case the link should lead to a page with instructions on how to
> verify the certificate, and add it to the certificate store. Given that
> free SSL certs are available which are signed by CAs already in the
> default store - I can't understand why someone would be so stupid. I'd
> be very reluctant to use their code.
>
>> and pipes directly to /bin/bash [ +200 points of FAIL ]
>
> Words fail me.

If you trust the site and you get the bytes via SSL and the
certificate checks out, how is this different from downloading and
running some binary from, say, Debian archives?

Regards,
James



More information about the linux mailing list