I logged a bug[1] for this today after noticing that https://brew.sh had broken SSL, The official response: "Do not to use HTTPS" by the maintainers.
When I pointed out that directing people to curl directly from the internet especially over insecure web pages (without even a warning) the maintainers did not see the issue despite it being a widely used package manager often requiring root access for package installation,
I closed my bug report and the maintainers locked the conversation from further comments / input with a snarky reply.
Can I take it? Sure! Do I care that people are installing homebrew across their machines everywhere via an insecure method - you bet I do!
I'm not here to let off steam, I'm here to give a reminder and a general security PSA: Please don't blindly copy and paste commands from the internet into your shells, especially when it's to install a package manager.
My questions to the maintainers:
"...
Regardless, as I said, this is a package manager, please consider security, especially when you're suggesting that it's a good idea that users curl straight to shell from the internet, if they don't use SSL anyone could MITM that link of yours and people could be infected with malware etc...
@MikeMcQuaid @UniqMartin - your thoughts on users curling straight from an unencrypted website to their shell?"
Maintainers response:
"MikeMcQuaid @sammcj Life tip: messages provided with a patronising tone will generally not be taken on board."
"This conversation has been locked and limited to collaborators."
- I bought a domain that sounds legitimate and could have told people to do bad things, instead a linked to an article about why you shouldn't curl to shell, it cost me $0.88: http://homebrew.host
I absolutely agree, OK some of my comments could have been a little less 'defeated' sounding, but that's the way I feel when I have to explain this over and over again.
7 comments
[ 2.9 ms ] story [ 30.8 ms ] threadWhen I pointed out that directing people to curl directly from the internet especially over insecure web pages (without even a warning) the maintainers did not see the issue despite it being a widely used package manager often requiring root access for package installation,
I closed my bug report and the maintainers locked the conversation from further comments / input with a snarky reply.
Can I take it? Sure! Do I care that people are installing homebrew across their machines everywhere via an insecure method - you bet I do!
I'm not here to let off steam, I'm here to give a reminder and a general security PSA: Please don't blindly copy and paste commands from the internet into your shells, especially when it's to install a package manager.
My questions to the maintainers:
"...
Regardless, as I said, this is a package manager, please consider security, especially when you're suggesting that it's a good idea that users curl straight to shell from the internet, if they don't use SSL anyone could MITM that link of yours and people could be infected with malware etc...
@MikeMcQuaid @UniqMartin - your thoughts on users curling straight from an unencrypted website to their shell?"
Maintainers response:
"MikeMcQuaid @sammcj Life tip: messages provided with a patronising tone will generally not be taken on board."
"This conversation has been locked and limited to collaborators."
[1] But report: https://github.com/Homebrew/brew/issues/490
Screenshots:
- http://i.imgur.com/ia26FsQ.jpg
- https://cloud.githubusercontent.com/assets/862951/16719904/7...
- https://cloud.githubusercontent.com/assets/862951/16719905/7...
- http://i.imgur.com/KIJshXT.jpg
- http://i.imgur.com/lPgV0Hq.jpg
- I bought a domain that sounds legitimate and could have told people to do bad things, instead a linked to an article about why you shouldn't curl to shell, it cost me $0.88: http://homebrew.host
*Edit: Add screenshots, example