Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

windows users will also happily "run as administrator", while a lot of linux users know not to do that in my experience


Yes, I have an absolutely pristine record and I have never, ever copy-pasted a script from the internet with sudo, or piped curl into bash because I'm lazy and I trust most github READMEs. Never.


I have literally never done this and do not understand why anyone would.

Installing software to the system should be handled by a package manager, but if you must install something like this, just throw it in a tmpfile and inspect the script before running it.

I know the response to this will be "but the things the script downloads and installs could be malicious", and while this is true, so long as the sources in the install script are fine, I consider this to be a separate issue (but still a big issue).

The issue of trusting source code or binaries is a thing but it doesn't justify copy pasta'ing random scripts in the shell.

Another thing to take note of, there in the past have been bugs in terminal emulators that allowed pasting certain characters that made the text look completely different than what it actually was, so pasting "ls $HOME" could have actually been "rm -rf ~/" for example.


I usually double check before running stuff as sudo, and piping into bash i dont really ever need (AUR). My heart goes out to those on distros where thats the way to distribute software.


AUR is perfectly safe. Got it.


Honestly...I'm far for afraid of my $HOME being uploaded somewhere. You don't need "run as administrator" for that.


> You don't need "run as administrator" for that.

This is what makes it so doable since you don't need any privilege escalation.

The reason why this is a big deal for a lot of people is your ssh keys will give you access to your git repos and other servers unless you have them password protected or use gpg/sk ssh keys which I think a lot of people don't do.

And of course if you can see the known hosts file/bash_history you'll likely have access to more servers to propagate to.

Also things like your browser cache is stored there.


Plenty of dangerous things stored in `~/`, they don't even need password for ssh-key if there is ssh-agent running (this is in case of dangerous process running, not just upload).

This is why I store keys on a hardware key that requires me to touch it when used and manually start ssh-agent when doing a lot of `git push`.


Yeah gpg/sk ssh keys are definitely the way to go.


>a lot of linux users know not to do that in my experience

README.md : "to get this to work, curl or wget the following script and run it as sudo"

Linux users: Aye


That is programmers etc using Linux, yes. Casual users wont touch the terminal.


In my experience, there are relatively few casual users of Linux.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: