cross-posted from: https://lemmy.dbzer0.com/post/15238521

Yet another “brilliant” scheme from a cryptobro. Naturally this caused a gold-rush for scammers who outsourced random people via the gig economy to open PRs for this yml file (example)

  • David Gerard@awful.systemsM
    link
    fedilink
    English
    arrow-up
    9
    ·
    9 months ago

    this asshole pushed this dumb and bad scheme last year too.

    it’s not the previous scam “gitcoin”, it’s a fresh reimplementation of the bad idea.

    he was the Original Founder Of Homebrew!!! who left ages ago, and Homebrew are busy disclaiming him as often as is necessary

      • self@awful.systems
        link
        fedilink
        English
        arrow-up
        5
        ·
        9 months ago

        which itself is a shitty implementation of ideas stolen directly from Nix (specifically it’s a much worse nix run or comma with bits and pieces yanked straight from direnv), but with the, ah, sensibilities that can only come from the experience gained implementing one of the worst package managers

        I dug in and there’s also this related mash thing that appears to just be an unvetted index of scripts you can pull in and execute with no idea what they’ll actually do

        We have not vetted any of the scripts mash can run and (currently) they can do anything they want to your computer.

        We fully intend to add sandboxing and user reporting, but you have found mash super early in its life so you must practice caution in your usage.

        fucking genius. your killer app is a vector for malware cause in your excitement to release this shit you designed in like 10 minutes, you decided to push all the hard (and/or impossible — fucking sandboxing?) parts off until later

        • David Gerard@awful.systemsM
          link
          fedilink
          English
          arrow-up
          5
          ·
          9 months ago

          a shitty implementation of ideas stolen directly from Nix

          there’s probably a greenspun’s tenth law about this

          i’ve already said that any sufficiently large program eventually reimplements half of apt, badly

          • Deborah@hachyderm.io
            link
            fedilink
            arrow-up
            4
            ·
            9 months ago

            If npm had only badly reimplemented anything previously existing instead of rebuilding package management from first principles I wouldn’t twitch at the mere mention of the words “package-lock.json”.

            It’s a package manager designed by brilliant feral wolves. Complex, well written nightmare tool that should never have come into existence because it doesn’t know any lesson learned by prior decades of package management, like a great artist painting a summoning circle for nyarlathotep.

            • froztbyte@awful.systems
              link
              fedilink
              English
              arrow-up
              4
              ·
              9 months ago

              I have ranted this so often

              From the late 00s to early 10s I worked somewhere where we maintained our own Debian distribution (not terribly far from mainline but some localised things for purpose). I learned a lot of packaging and package management and repo skills from that

              And then soon thereafter I was in other roles which also included having to deal with software that did npm things (and, occasionally, colleagues that did fpm things) and…… god. Exhausted to my fucking core.

              Year after year goes by, and that fucking disastrous pile of shit ecosystem learns almost nothing. Repeatedly.

              And every time I have to touch it, it’s a shitshow. Every. Single. Time.

        • froztbyte@awful.systems
          link
          fedilink
          English
          arrow-up
          4
          ·
          9 months ago

          you designed in like 10 minutes

          I would be surprised

          I would, in fact, be somewhat willing to bet that this pile of dogshit was the result of at least a day (a saturday?) of discussion, possibly more

          remember, you need to bikeshed (all your terrible halfwit dipshit fucking turdbag ideas) langoriously, can’t rush “perfection”

        • froztbyte@awful.systems
          link
          fedilink
          English
          arrow-up
          3
          ·
          9 months ago

          unvetted index of scripts you can pull in and execute with no idea what they’ll actually do

          the og homebrew experience

          • self@awful.systems
            link
            fedilink
            English
            arrow-up
            5
            ·
            9 months ago

            it’ll be fucking wild when my industry invents the ability to learn from its mistakes

            • self@awful.systems
              link
              fedilink
              English
              arrow-up
              3
              ·
              9 months ago

              also, of course it’s a bunch of yaml package recipes with wacky! comments barely wrapping the shell scripts actually doing the work, all of which are dumped into a way too fucking big recipes directory and shat into git, cause no this fucker didn’t learn a damn thing from last time

              also, this rant in the recipe file:

              FIXME proper system for re-using pre-built binaries we must require the vendor to provide signatures against a published public key. If they don’t then really we should build ourselves or warn the user about the fact. The thing is, we trust the sources implicitly currently because signing is so rare. The only way wide spread signing will occur is via our protocol.

              I’m guessing protocol here refers to the tea bullshit that’s being hoisted on our global open source ecosystem. the part I’m missing is: fucking what? why? there aren’t any hashes at all in the recipe file which is how Nix and most other package managers worth a damn verify sources. Nix doesn’t even differentiate between source code and pre-built binaries for this — Nix just knows the expected hash for the file and if it pulls an archive of binaries, you just tell it to skip the build step as part of the package definition. pkgx doesn’t even have the immutable bits that make using pre-built stuff mildly harder on a Nix system

              • Deborah@hachyderm.io
                link
                fedilink
                arrow-up
                5
                ·
                9 months ago

                Looking at many of those installers: one day I will find the festering goatfuckers who popularized replacing installers with instructions like “sh <(curl https://pkgx.sh)” or, worse “curl | sudo sh”, and I will inform them of the error of their ways, repeatedly and clearly. I expect you folks to provide my alibi.

              • V0ldek@awful.systems
                link
                fedilink
                English
                arrow-up
                2
                ·
                9 months ago

                The only way wide spread signing will occur is via our protocol.

                Sure, it’s not like there’s a whole protocol standard that you can use for signed provenance of binaries which you could incorporate and help promote to make the OSS ecosystem better and more secure.

                Nah, look, I solved package management using only my grit and impressively large IQ.

                I hate the energy of That Guy that barges into the room and shouts “I solved X!” without researching for 5 minutes what all the people that were actually hard at work solving X came up with, what hurdles they identified, and which paths were already explored.

                And it’s always fucking tech guys.

                • self@awful.systems
                  link
                  fedilink
                  English
                  arrow-up
                  4
                  ·
                  9 months ago

                  I hate the energy of That Guy that barges into the room and shouts “I solved X!” without researching for 5 minutes what all the people that were actually hard at work solving X came up with, what hurdles they identified, and which paths were already explored.

                  And it’s always fucking tech guys.

                  “my only achievement is that I made the most mediocre version of something that already existed and somehow it got corporate adoption” is a whole-ass type of person in my industry, and they’ve always got the biggest gap between self-perceived genius and actual skill level. they always seem to gravitate towards systems software too, somehow

                • jonhendry@awful.systems
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  9 months ago

                  I hate the energy of That Guy that barges into the room and shouts “I solved X!” without researching for 5 minutes what all the people that were actually hard at work solving X came up with, what hurdles they identified, and which paths were already explored.

                  Reminds me of the time I was at Barnes & Noble and this lady comes in with her little boy (4-6 maybe?) and they head for the children’s section. At the entry to the children’s section she tells him to go find a book, and they separate. He walks a step to the first display in the center of the entry area, grabs something, and shouts “Momma I found a BOOK.”

  • froztbyte@awful.systems
    link
    fedilink
    English
    arrow-up
    8
    ·
    9 months ago

    you know, I’m strongly in favour of attempts at novel ways to fund open-source development, because there’s still significant issues to be solved there. but

    1. ugh god really? this thing is some awfully halfwitted dogshit even by the standards of the coiners
    2. fucking rage

    not that I mean to praise the attempt here, to be clear. it is, of course, utter and complete bullshit. that it latches on to this particular problem irks me even more.

    it also leaves me wondering whether this type of problem/parasitism (at this tier of scale attempt, perhaps?) has a long lineage? previously there were things like dns alt roots, which occasionally got some under-informed/unlucky suckers, but this kind of low-effort attempt at intermediating themselves as tollmen isn’t something I know of past analogues to