7 comments

[ 2.9 ms ] story [ 30.8 ms ] thread
I logged a bug[1] for this today after noticing that https://brew.sh had broken SSL, The official response: "Do not to use HTTPS" by the maintainers.

When I pointed out that directing people to curl directly from the internet especially over insecure web pages (without even a warning) the maintainers did not see the issue despite it being a widely used package manager often requiring root access for package installation,

I closed my bug report and the maintainers locked the conversation from further comments / input with a snarky reply.

Can I take it? Sure! Do I care that people are installing homebrew across their machines everywhere via an insecure method - you bet I do!

I'm not here to let off steam, I'm here to give a reminder and a general security PSA: Please don't blindly copy and paste commands from the internet into your shells, especially when it's to install a package manager.

My questions to the maintainers:

"...

Regardless, as I said, this is a package manager, please consider security, especially when you're suggesting that it's a good idea that users curl straight to shell from the internet, if they don't use SSL anyone could MITM that link of yours and people could be infected with malware etc...

@MikeMcQuaid @UniqMartin - your thoughts on users curling straight from an unencrypted website to their shell?"

Maintainers response:

"MikeMcQuaid @sammcj Life tip: messages provided with a patronising tone will generally not be taken on board."

"This conversation has been locked and limited to collaborators."

[1] But report: https://github.com/Homebrew/brew/issues/490

Screenshots:

- http://i.imgur.com/ia26FsQ.jpg

- https://cloud.githubusercontent.com/assets/862951/16719904/7...

- https://cloud.githubusercontent.com/assets/862951/16719905/7...

- http://i.imgur.com/KIJshXT.jpg

- http://i.imgur.com/lPgV0Hq.jpg

- I bought a domain that sounds legitimate and could have told people to do bad things, instead a linked to an article about why you shouldn't curl to shell, it cost me $0.88: http://homebrew.host

*Edit: Add screenshots, example

Now me being mean: what did you expect from people who can't work with a binary tree? Technical prowess?
I don't understand how in 2016 the value of SSL still has to be debated... Pretty poor TBH.
I absolutely agree, OK some of my comments could have been a little less 'defeated' sounding, but that's the way I feel when I have to explain this over and over again.
Honestly this is not surprising. The homebrew developers seem pretty much unable to accept any possible criticism.
I bet they disagree with that statement. Jokes aside, interesting to hear.