Comment by tzs

7 years ago

Alice and Bob are both installing something on their computers. It is available as both a .deb and via "curl | bash". It is not malicious...but it does turn out to have a serious bug.

They both install, and both hit the bug and find that it has completely and utterly broken their network configurations bad enough that they have no network access at all.

Alice installed via the .deb. She can look at the scripts in the .deb and see what it was messing with, which gives her a big head start on figuring out how to fix it at least enough to connect to the network backup server and fully restore her network configuration.

Bob installed via "curl | bash". Bob is now left using find to look for recently changed configuration files, and paging through the out of date O'Reilly books he has from the old days when programmers owned physical books, trying to remember enough about network configuration to recognize what is wrong.

Trustworthy sites do not serve you malicious code. They often will, however, serve you buggy code.

3 comments

tzs

Reply
staticassertion  7 years ago

Or Bob just curls the file again and reads it?

  • tzs  7 years ago

    How does Bob curl the file again without network access? :-)

    Remember, I said that the bug in the file broke the network configuration so that Alice and Bob lost all network access.

    • staticassertion  7 years ago

      From another computer? This situation sounds so contrived as-is. Don't tell me they also can't use another system?