cross-posted from: https://lemmy.dbzer0.com/post/15238521

Yet another “brilliant” scheme from a cryptobro. Naturally this caused a gold-rush for scammers who outsourced random people via the gig economy to open PRs for this yml file (example)

  • self@awful.systems
    link
    fedilink
    English
    arrow-up
    3
    ·
    9 months ago

    also, of course it’s a bunch of yaml package recipes with wacky! comments barely wrapping the shell scripts actually doing the work, all of which are dumped into a way too fucking big recipes directory and shat into git, cause no this fucker didn’t learn a damn thing from last time

    also, this rant in the recipe file:

    FIXME proper system for re-using pre-built binaries we must require the vendor to provide signatures against a published public key. If they don’t then really we should build ourselves or warn the user about the fact. The thing is, we trust the sources implicitly currently because signing is so rare. The only way wide spread signing will occur is via our protocol.

    I’m guessing protocol here refers to the tea bullshit that’s being hoisted on our global open source ecosystem. the part I’m missing is: fucking what? why? there aren’t any hashes at all in the recipe file which is how Nix and most other package managers worth a damn verify sources. Nix doesn’t even differentiate between source code and pre-built binaries for this — Nix just knows the expected hash for the file and if it pulls an archive of binaries, you just tell it to skip the build step as part of the package definition. pkgx doesn’t even have the immutable bits that make using pre-built stuff mildly harder on a Nix system

    • Deborah@hachyderm.io
      link
      fedilink
      arrow-up
      5
      ·
      9 months ago

      Looking at many of those installers: one day I will find the festering goatfuckers who popularized replacing installers with instructions like “sh <(curl https://pkgx.sh)” or, worse “curl | sudo sh”, and I will inform them of the error of their ways, repeatedly and clearly. I expect you folks to provide my alibi.

    • V0ldek@awful.systems
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      The only way wide spread signing will occur is via our protocol.

      Sure, it’s not like there’s a whole protocol standard that you can use for signed provenance of binaries which you could incorporate and help promote to make the OSS ecosystem better and more secure.

      Nah, look, I solved package management using only my grit and impressively large IQ.

      I hate the energy of That Guy that barges into the room and shouts “I solved X!” without researching for 5 minutes what all the people that were actually hard at work solving X came up with, what hurdles they identified, and which paths were already explored.

      And it’s always fucking tech guys.

      • self@awful.systems
        link
        fedilink
        English
        arrow-up
        4
        ·
        9 months ago

        I hate the energy of That Guy that barges into the room and shouts “I solved X!” without researching for 5 minutes what all the people that were actually hard at work solving X came up with, what hurdles they identified, and which paths were already explored.

        And it’s always fucking tech guys.

        “my only achievement is that I made the most mediocre version of something that already existed and somehow it got corporate adoption” is a whole-ass type of person in my industry, and they’ve always got the biggest gap between self-perceived genius and actual skill level. they always seem to gravitate towards systems software too, somehow

        • Deborah@hachyderm.io
          link
          fedilink
          arrow-up
          4
          ·
          9 months ago

          This is me, yesterday, on realizing that gmail doesn’t have inbox sorting options, something elm had in *1986*.

          (Look, I know everyone else has long since become beaten into the ground by gmail’s quirks, but I don’t use it personally, and whenever I’m at a job that allows gmail IMAP clients I use those instead. It honestly never occurred to me that the dominant client that’s slowly strangling all small mailers wouldn’t have “change sort order” as a basic fucking function.)

          • froztbyte@awful.systems
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            The deficiencies in the goog interfaces, across multiple products, are legion. I recall someone talking about it recently compared to Palm Pilot, and how the latter could do detail obscuring when just wanting to share a single piece of information on a screen (think the examples used were calendar and contact)

            The other “fun” thing is how they kill off features/things to force people into how they want a thing to be used. And I believe IMAP with normal credential auth is one of those on the list for later this year… 😡

      • jonhendry@awful.systems
        link
        fedilink
        English
        arrow-up
        3
        ·
        9 months ago

        I hate the energy of That Guy that barges into the room and shouts “I solved X!” without researching for 5 minutes what all the people that were actually hard at work solving X came up with, what hurdles they identified, and which paths were already explored.

        Reminds me of the time I was at Barnes & Noble and this lady comes in with her little boy (4-6 maybe?) and they head for the children’s section. At the entry to the children’s section she tells him to go find a book, and they separate. He walks a step to the first display in the center of the entry area, grabs something, and shouts “Momma I found a BOOK.”