Comment by shawn
7 years ago
Sorry, 2AM. You're right of course.
I think the real message is that this is a new class of timing attack, and that it should be treated as such. E.g. curl itself needs to be updated to buffer its own output.
7 years ago
Sorry, 2AM. You're right of course.
I think the real message is that this is a new class of timing attack, and that it should be treated as such. E.g. curl itself needs to be updated to buffer its own output.
Or perhaps people shouldn't curl | bash? I don't want curl to buffer all output, I use it on devices with little RAM and do stream processing.
I disagree. Maybe a new tool that downloads and then runs a script from the interwebs needs to be written, but curl itself does one job and does it well.
I.e., curl is a *nix tool.
> Maybe a new tool that downloads and then runs a script from the interwebs needs to be written
What you're describing there is a package manager. What we don't need is a tool for running any random script from the wider internet.
Yet Another Package Manager :) Seriously - you're right, but people use curl | bash because it's super simple/fast and usually just works. Package managers can be an intimidating mess; even the choices we have in package managers confound things these days - did I install that with apt? snap? npm? pip? aw, crap that program I just installed with pip isn't working because I'd already installed a version with apt and some of it's configuration isn't compatible!!!
It's a mess. I really like snaps, but I hesitate for this reason - safer to default to apt on my ubuntu machine.
[edit] by safer I meant 'less likely for me to get confused and so screw up something', not meant as a security comment.
Isn't that tool what we call a "user"?
1 reply →