> It’s true, babushka means “grandmother” in Russian. The thing is, here in Australia, “babushka doll” is the colloquial term for Russian nesting dolls. Deps are intended to be small, tidy chunks of code, nested within each other - hence the name.
This is presented as revolutionary somehow, but it's just a stripped-down (early version?) of what the other configuration management tools do: e.g. Chef, puppet, ansible.
I'm working from a memory of a podcast, so pull out those pinches of salt: Chef offers a testing suite - it basically offers a running mode which does an audit of what current conforms to the recipes you've passed it, and outputs a list of actions it would take to remedy this.
Combined with VMs, this lets you do some basic automated testing to ensure that your script is doing what you intend it to do.
I could swear that they also some kind of automated validation against an "inventory", which would make it possible to do automated tests against a known, unchanging target, but at this point I'm probably mis-remembering. They may have just advocated using VMs, images, and audits as validation.
I was thinking the same thing. As a grey haired sysadmin it's disconcerting to see this blasé attitude toward executing local commands from a remote host.
In a practical sense, I'm not sure it's as bad as it looks. It is https. And if you weren't going to read the source code, it's not really different from downloading the program before executing it. In this case, its a small shell script, so it's easy to glance through the code to make sure it isn't doing anything sketchy. For large code bases, that isn't always feasible, so at some point you have to simply trust the source, whether you install from a tarball or (ugh) let a shell execute commands from a remote host.
Also, if you're the kind of sysadmin that fires up a VM or a container any time you want to experiment with a new piece of software, you can afford to take risks. At worst, they'll steal your public key.
It does seem like a bad habit. If you get used to sh+curl install legitimate projects, it isn't such a stretch to sh+curl miscellaneous suggestions on forums.
21 comments
[ 2.4 ms ] story [ 18.4 ms ] thread[0]: https://github.com/richo/babashka
[0]: http://larsyencken.github.io/marelle/
Always coming to the rescue of her grandchildren.
> It’s true, babushka means “grandmother” in Russian. The thing is, here in Australia, “babushka doll” is the colloquial term for Russian nesting dolls. Deps are intended to be small, tidy chunks of code, nested within each other - hence the name.
Last paragraph: http://babushka.me/overview
I tried it all ansible based: https://github.com/CraigJPerry/ansible-users/tree/test-cases...
I tried it using Python's unittest2 module: https://github.com/CraigJPerry/home-network/blob/v0.1.5/test...
I like the idea that ansible playbooks should be self testing.
Combined with VMs, this lets you do some basic automated testing to ensure that your script is doing what you intend it to do.
I could swear that they also some kind of automated validation against an "inventory", which would make it possible to do automated tests against a known, unchanging target, but at this point I'm probably mis-remembering. They may have just advocated using VMs, images, and audits as validation.
In a practical sense, I'm not sure it's as bad as it looks. It is https. And if you weren't going to read the source code, it's not really different from downloading the program before executing it. In this case, its a small shell script, so it's easy to glance through the code to make sure it isn't doing anything sketchy. For large code bases, that isn't always feasible, so at some point you have to simply trust the source, whether you install from a tarball or (ugh) let a shell execute commands from a remote host.
Also, if you're the kind of sysadmin that fires up a VM or a container any time you want to experiment with a new piece of software, you can afford to take risks. At worst, they'll steal your public key.
It does seem like a bad habit. If you get used to sh+curl install legitimate projects, it isn't such a stretch to sh+curl miscellaneous suggestions on forums.
[1] https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-p...