we all know what you meant. you’re just incorrect, your conflating multiple different types of attacks and asserting the one that is easiest to resolve is an equivalent problem. shrug

1. if the developer of the application is writing malware, its malware end of story. its usually discovered rapidly and people avoid it.
2. supply chain attacks are harder to achieve (i.e. uploading a tainted binary to a software repository)
3. curling a shell script is pretty much the easiest target. you have a bunch of randomly setup servers serving a program that literally intended to install software on systems. You now have a large surface area random from typo attacks, to dns poisoning etc.

many devs i’ve encountered in the wild (FANG/startups/randomly) can barely sort a list without causing problems. so now we have people hosting multiple servers they probably didn’t configure correctly. meaning instead of a few centralized repositories we need to secure we now have to trust these individual people have enough technical know how to safely host such a setup.

thats the problem with these setups. its not the developer being a bad actor we’re worried about, its the systems they’ve setup to serve these scripts. with checksums and side channels its easy to validate the resulting binary. which can effectively nips any issues with a compromised repository.

1. no one is talking about NPM libraries. we’re talking about released packages.
2. you absolutely can ensure a binary hasnt been tampered with. its called checksumming.
3. you’re confusing MITM attacks with supply chain attacks. MITM attacks are far easier to pull off.

Not everything is provided with a package manager

Yes. thats precisely the problem we’re pointing out to you. if you’re going to provide software over the internet provide a proper package with checksum validation. its not hard, stop providing bash scripts.

How do you know the script hasnt been compromised? Is every user competent enough to evaluate it to ensure its safe to run?

Using package managers to handle this provides a couple things: First: most package manager have builtin mechanisms to ensure the binary is unmodified Second: they provide a third party validating them.

Lol if you think we send in Seal team 6 for hostages of foreign countries.

dude stfu and enjoy it. I love when that shit happens to me.

because many people are uncomfortable with change and having women suddenly appearing more frequently thatn their use to upsets them. You’ll find this fear of the unknown a very common source of much stupidity.

You’re not over reacting. It is that fucked up. welcome to the insanity.

LLCs are plebs. You need a corporation to not be a pleb and it needs to be registered in Delaware.

na, they’ll just say it doesn’t apply to companies because no clear pleb to pin it on.

Side note: did you mean to say “shot themselves in the root”? I love it either way.

ssh its better with the typo. ;)

#no thank you lol

we’re probably talking about different things. virtually no distribution comes with root access with a password. you have to explicitly give the root user a password. without a password no amount of brute force sshing root will work. I’m not saying the root user is entirely disabled. so either the service OP is building on is basically a goldmine for compromised machines or OP literally shot themselves in the root by giving root a password manually. something you should never do.

We have it at my company its just a very small group and we have to manually enable it for production and its through tools like teleport. Staging and the like its free game there for them for debugging, same infra through. Gives us best of all worlds

Most distributions disable root by default

it should, might take awhile, might depend if your system is reachable from the internet. if the tracker can’t reach your node it might not advertise the torrent because it can’t confirm that people will be able to download it.

its kind of the point of a tracker, they’re tracking announces.

just announce them to trackers? you dont need to upload anything. thats kind of the point.

yeah sorry. filter switched to controversial without me realizing. points still stand though. =)

No you can’t because biden didnt run. Just like harris should not have run if she refused to meet the electorate were they’re at policy wise.

these events are about connecting with your community and getting organized. go with that in mind.

Thank you for your upcoming service. I look forward to mildly annoying you!