[clug] How you know your Free or Open Source Software Project is doomed to FAIL

Scott Ferguson scott.ferguson.clug at gmail.com
Thu Jul 30 03:59:26 UTC 2015


On 30/07/15 11:16, Michael Cohen wrote:
> Am 29.07.2015 8:29 vorm. schrieb "Steve Walsh" <steve at nerdvana.org.au>:
> 
>> On 07/29/2015 03:56 PM, Scott Ferguson wrote:
>>
>>> Words fail me.
>>>
>>> Name and Shame?
>>>
>> Github is littered with them, but even more mainstream does it. Dell OMSA,
>> for a start (http://linux.dell.com/repo/hardware/omsa.html)
>>
>> "Set up the Dell OpenManage Repository at
>> http://linux.dell.com/repo/hardware/ like this:
>>
>> 1.
>>
>>    wget -q -O - http://linux.dell.com/repo/hardware/latest/bootstrap.cgi
>> | bash
>>
>> "
>>
>> For those who many not understand why this is a problem,Tim Serong, a
>> Tassie OpenSuse hacker, has prepared http://tserong.github.io/sudo-wget/
>>
>>
> I'm sorry I fail to understand how this is any worst than hosting your
> installer on plain HTTP. 

Yes.

> Piping a curl installer to shell is not better or
> worse than distributing your software on plain HTTP or downloads.com or
> something.

Downloading anything which is not verifiable, from a http source leaves
you open to MiM attacks - what you subsequently download may be not what
you think.

Piping an installer to shell is a separate problem. (different dog,
different leg action).
I believe that attempting to measure one against the other is like
trying to decide whether it's better, or worse, to be punched in the
mouth or the belly. Any answer is the answer to the wrong question.

Piping an installer to shell no matter the protocol used to access the
source.

Is like going to a shop to order food then putting on a blindfold and
being force-fed, is not better or worse than ordering food from a shop
and getting it served in a bag or on a plate to inspect and consume at
your discretion.

In which case I'd suggest that the former encourages poorly considered
choices and may cause problems if the vendor wanders off to have a
cigarette break while you lie choking unattended on the floor and
blindfolded with a spoon stuck down your throat. (what happens if the
network drops out? if the installation does not work as advertised and
leaves you unable to resume?)



Kind regards



More information about the linux mailing list