Look before you paste.
-
Because you might be about to haxx yourself if you paste into a terminal.
-
So don't paste random snippets from untrusted websites into your terminal?
-
I have a tendency to retype terminal commands myself.
I dunno why, I usually don't like copy/pasting things like that.
-
Fuck when did I paste the gay porn where a black guy was doing a white dude up the arse?
-
@lucas1 Silly lucas, this is why you copy random words into your clipboard after sending kinky stuff to your lovers/friends.
-
There should be a clear clipboard button - I instinctively overwrite the clipboard using the same trick powerlord mentioned every time I'm done with it by now.
-
@powerlord said in Look before you paste.:
@lucas1 Silly lucas, this is why you copy random words into your clipboard after sending kinky stuff to your lovers/friends.
Copy that!
(Hehe puns)
-
@accalia said in Look before you paste.:
Because you might be about to haxx yourself if you paste into a terminal.
Wait, are you just now hearing about this? I read about it a year ago, roughly. I thought I read it here?
Either way, copy-pasting random bits of terminal commands without reading through them and understanding what they do is pants-on-head retarded and if you do so you deserve what you get.
Fuck, now what software was it I ran in to a while back that the advised installation procedure was piping a script from their site via curl in to your terminal? It was a major bit of software.
My brain is mush, been a long day.
-
@Polygeekery said in Look before you paste.:
Fuck, now what software was it I ran in to a while back that the advised installation procedure was piping a script from their site via curl in to your terminal? It was a major bit of software.
It was Chef:
-
@Polygeekery said in Look before you paste.:
Either way, copy-pasting random bits of terminal commands without reading through them and understanding what they do is pants-on-head retarded and if you do so you deserve what you get.
Not really the point of the article, which was that you may be copying and pasting a lot more code than what you can actually see on the source website, with the nasty bits hidden invisibly to the reader. Doesn't matter how well you understand the code you're pasting if you're actually also pasting in a whole stack of extra code that you don't know about.
-
@Scarlet_Manuka sorry, brain is mush.
I have always made a habit of when I do copy and paste, it goes in to a text editor first. Which is a better place for me to go over it and understand it. Copy-pasta scripters don't ever learn it is that they are actually doing.
The next level of insanity from this is piping curl or wget to your terminal, like Chef recommends you do.
-
@CreatedToDislikeThis said in Look before you paste.:
There should be a clear clipboard button - I instinctively overwrite the clipboard using the same trick powerlord mentioned every time I'm done with it by now.
I have spacebar shift left arrow ctrl x in muscle memory.
-
@Polygeekery said in Look before you paste.:
Fuck, now what software was it I ran in to a while back that the advised installation procedure was piping a script from their site via curl in to your terminal? It was a major bit of software.
If you're on Windows you might be thinking of Chocolatey (a package manager).
-
@JBert said in Look before you paste.:
@Polygeekery said in Look before you paste.:
Fuck, now what software was it I ran in to a while back that the advised installation procedure was piping a script from their site via curl in to your terminal? It was a major bit of software.
If you're on Windows you might be thinking of Chocolatey (a package manager).
Docker takes it one step further. You don't pipe it to your shell, you pipe it to
root
's shell.
-
@powerlord said in Look before you paste.:
I have a tendency to retype terminal commands myself.
I dunno why, I usually don't like copy/pasting things like that.
It's better for memorizing the command anyway.
-
@Polygeekery said in Look before you paste.:
I have always made a habit of when I do copy and paste, it goes in to a text editor first
I do this. Not for security or better understanding but just to remove any unwanted formatting that might come with it, or to remove line numbers or whatever.
@Polygeekery said in Look before you paste.:
Fuck, now what software was it I ran in to a while back that the advised installation procedure was piping a script from their site via curl in to your terminal? It was a major bit of software.
There are a few things that do that. I'm not against that when you're downloading something from a website you trust.
-
@loopback0 said in Look before you paste.:
@Polygeekery said in Look before you paste.:
I have always made a habit of when I do copy and paste, it goes in to a text editor first
I do this. Not for security or better understanding but just to remove any unwanted formatting that might come with it, or to remove line numbers or whatever.
@Polygeekery said in Look before you paste.:
Fuck, now what software was it I ran in to a while back that the advised installation procedure was piping a script from their site via curl in to your terminal? It was a major bit of software.
There are a few things that do that. I'm not against that when you're downloading something from a website you trust.
Yup. I mean, why wouldn't I trust Dropbox or Spotify?
-
@kt_ Or a GitHub repository?
-
@loopback0 said in Look before you paste.:
when you're downloading something from a website you trust.
And you're using https.
-
@Zecc said in Look before you paste.:
@kt_ Or a GitHub repository?
WEll, there you gotta be careful. You should only install software made by people you trust. No, your uncle Edward is a bad example, never install stuff created by uncle Edward!
-
@accalia Funny how it’s on a Linux site, but the screenshots are from OS X’s Terminal.app.
-
@sloosecannon said in Look before you paste.:
@loopback0 said in Look before you paste.:
when you're downloading something from a website you trust.
And you're using https.
And not being a dumbass, ignoring invalid certificates.
@kt_ said in Look before you paste.:
WEll, there you gotta be careful. You should only install software made by people you trust. No, your uncle Edward is a bad example, never install stuff created by uncle Edward!
Wasn't there a "oops..." by someone important who neglected to fully verify a commit by a third-party and accidentally got malware injected because of that? Edit: to be clear, the commit specifically targeted the installation script.
ISTR something like that, but searching for news about it I couldn't find anything.
-
@Polygeekery said in Look before you paste.:
It was Chef:
and Node, and just about anything that doesn't keep its archives for ubuntu up to date but has a website.
-
Previous paste jacking topic (was posted May 24th, 2016):
-
@Yamikuronue said in Look before you paste.:
@Polygeekery said in Look before you paste.:
It was Chef:
and Node, and just about anything that doesn't keep its archives for ubuntu up to date but has a website.
OK, am I the only one who thinks this is a really shit installation procedure?
Piping curl to your shell seems like unprotected anonymous sex.
-
@Polygeekery How much worse is it than manually downloading a blob and giving it admin / root in order to install?
-
@Polygeekery said in Look before you paste.:
OK, am I the only one who thinks this is a really shit installation procedure?
Nope ;)
Then again, if I want to manage Node installations, I don't bother with the distro's package manager. Instead, I install
nvm
and let that sort things out. And the benefit ofnvm
is I can have as many parallel versions of Node installed as I want, and can switch between them with a single command
-
@RaceProUK said in Look before you paste.:
nvm
That's what I say when anyone tells me I should use Node
-
@Jaloopa said in Look before you paste.:
@RaceProUK said in Look before you paste.:
nvm
That's what I say when anyone tells me I should use Node
-
@boomzilla said in Look before you paste.:
@Polygeekery How much worse is it than manually downloading a blob and giving it admin / root in order to install?
I guess, practically, not any worse. But it just seems so much worse. It seems dirty.
-
@Polygeekery Yep.
-
@RaceProUK said in Look before you paste.:
Instead, I install nvm and let that sort things out.
oh, good idea! Let me go install nvm...
To install or update nvm, you can use the install script using cURL: curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.0/install.sh | bash or Wget: wget -qO- https://raw.githubusercontent.com/creationix/nvm/v0.33.0/install.sh | bash
...oh.
-
@Yamikuronue Seriously? Wow, that's just...
Why do so many FLOSS projects not think enough about basic UX? Just because devs use Node, doesn't mean it can't be easy to set up. And it's not like building packages is a chore: set it up in the build system once, and every new release gets DEB and YUM bundles straight away. You could even set up an auto-deploy to publish said packages to the official Debian/Red Hat repos.
-
@Yamikuronue this shit is spreading.
Curling the script and then running it manually would seem so much more secure to me than piping it to the shell. The logical side of me knows that there is not really any difference, but piping curl or wget to shell just feels so wrong.
-
@Polygeekery said in Look before you paste.:
Curling the script reading and validating the contents of the script and then running it manually would
seembe so much more secure to me than piping it to the shell.FTFY
-
@RaceProUK The sad thing is, this is their concession to UX. "Paste this one terminal command" is so much more user-friendly than "download this tarball, figure out how to untar it, run make, pray it works", while still taking less effort on their part than "install from your package manager"
-
@Polygeekery said in Look before you paste.:
Piping curl to your shell seems like unprotected anonymous sex.
I have to say it's much less fun.
-
@boomzilla said in Look before you paste.:
How much worse is it than manually downloading a blob and giving it admin / root in order to install?
I know some paranoid people who don't even compile unknown code without switching user accounts.
-
@Polygeekery said in Look before you paste.:
I read about it a year ago, roughly. I thought I read it here?
https://what.thedailywtf.com/topic/20017/paste-jacking
Fuck, now what software was it I ran in to a while back that the advised installation procedure was piping a script from their site via curl in to your terminal?
Nothing wrong with that IF that script is downloaded via secure https. Which it probably wasn't, but whatever.
-
@accalia I liked something similar a year ago.
-
-
@RaceProUK through a self signed certificate?
-
@Polygeekery said in Look before you paste.:
unprotected anonymous sex.
@boomzilla said in Look before you paste.:
manually downloading a blob
Is that how you old timers called it in your days?
-
Nah. I refer to it as a "data dump" if I am trying to be super sexy.
-
@Polygeekery This discussion looks really weird with what fits on my screen right now:
-
@Polygeekery didn't we just have a different topic delve into how much data is packed into a drop of semen?
-
@darkmatter I really need to get out of the garage more. I could have had a heyday with that thread.
-
@Polygeekery said in Look before you paste.:
@darkmatter I really need to get out of the garage more
@Polygeekery said in Look before you paste.:
Nah. I refer to it as a "data dump" if I am trying to be super sexy.
Sounds like you need to get out more in general...
-
@remi said in Look before you paste.:
Is that how you old timers called it in your days?
I'm manually downloading a blob right now.
-
@powerlord The reason is simple: your instincts are good enough to tell you that it's a bad idea, and retyping it is just a convenient way of making sure you read the whole command line.