Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp137446rwi; Thu, 13 Oct 2022 23:01:31 -0700 (PDT) X-Google-Smtp-Source: AMsMyM65AqgOfVwMcocacvT806IEyWDxwfTmhSh0AV8SPgOsoxIA+MzmDRcCxVBqfpGzYB8lZ3il X-Received: by 2002:a17:907:1624:b0:78d:d61c:2b4a with SMTP id hb36-20020a170907162400b0078dd61c2b4amr2345378ejc.208.1665727291295; Thu, 13 Oct 2022 23:01:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665727291; cv=none; d=google.com; s=arc-20160816; b=O+e/ZRNHeVFD3EyNRG9tPBDzIvsHoDyzTdVMs8ge5dzcAkp9++tWv3rZkD8Tbwas1z VhyMcdX+ep+kOld7DVH/ZrDVLdXUI0gigrAwaJZFbwoGuVF+rim9xAl504WbE0bmxNN0 yO877RpK5FdAjIiGRLFtAjF61WzsNWzkm8c0UVgj93mR1VRTMNMg0c7KqRDdR69vEAEJ CDc9uE5+SY7iw5IgWzsREKiB+phsCn3tnJIf0+4Q8qok+OVyE1ZmBVP3tay3cqXoKY22 vBcKT29SZ01uMjqvpPD1a94lDvr0gKhIJMwbfyS/MeAZ4fUhZzS15wHX7xVgBMnqTXBC 0Tfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=NL/4XDKe0l/kcKuOC3aeZoRtekHy3QEWTvQbnoLQPww=; b=f1G56guugccz/GXmloJw9MrcZl8c04KQId96aCenVaVKMaMDLtw8KPhGbZzUDFL5jr l0uICxTE5NZsXve2upa9+bqjIajSvcA5QnmxIGgvEu1vaDSIsgSfFqnJ1aKe559QrgQG SSN82DD77+jn4hx8TThsWo/2s+IBrcze9Tyd47IHVY9z79brOFJNqcONE2c1Gb729Dml 7qw9yds4OY8UGdUpOx4w1SqDeg1gFs1pR4yKMrk+gcROHYwjTUSq4gwt523+9xN66PGB 5gFDr64sGScvbOJOkIyel1oyLW5A4p4aPIwjlfix36rE2qco29EL44XEj6RhFbRpCwlM Rhig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z17-20020a056402275100b0045cd68a2bc5si1823118edd.17.2022.10.13.23.01.05; Thu, 13 Oct 2022 23:01:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229518AbiJNF2J (ORCPT + 99 others); Fri, 14 Oct 2022 01:28:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40750 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229543AbiJNF2I (ORCPT ); Fri, 14 Oct 2022 01:28:08 -0400 Received: from 1wt.eu (wtarreau.pck.nerim.net [62.212.114.60]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 92A3617D847; Thu, 13 Oct 2022 22:28:06 -0700 (PDT) Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 29E5Rumk021809; Fri, 14 Oct 2022 07:27:56 +0200 Date: Fri, 14 Oct 2022 07:27:56 +0200 From: Willy Tarreau To: David Laight Cc: "Jason A. Donenfeld" , Mark Brown , "linux-toolchains@vger.kernel.org" , Linux Kbuild mailing list , LKML Subject: Re: gcc 5 & 6 & others already out of date? Message-ID: <20221014052756.GA21730@1wt.eu> References: <20221013161813.GI16609@1wt.eu> <406260e46943493781891c480e4f8b17@AcuMS.aculab.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <406260e46943493781891c480e4f8b17@AcuMS.aculab.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 14, 2022 at 04:28:10AM +0000, David Laight wrote: > From: Willy Tarreau > > Sent: 13 October 2022 17:18 > ... > > That's also the model where people routinely do: > > > > $ curl github.com/blah | sudo sh > > Anyone doing that wants their head examined.... Most of the time they have no clue what they're doing, they just copy-paste installation instructions. You find hundreds of projects documenting this as the installation procedure, often in the nodejs world it seems, and the fist complaint in general is not that it's a bad practise but that it doesn't work on Mac! Random examples from google's first page: https://gist.github.com/btm/6700524 https://github.com/rclone/rclone/issues/3922 https://gist.github.com/andrepg/71a15e915846acd41370e275eadb0478 https://github.com/shellspec/shellspec/blob/master/install.sh This one looks like a trap, it searches from local vulnerabilities and suggests to be installed like this: https://github.com/carlospolop/PEASS-ng/blob/master/linPEAS/README.md > I'm not sure I'd trust any source of files enough for that. That's for a targetted audience. > Maybe some things get run as root, and maybe they might > do nasty things, but running random downloaded scripts > is as bad as clicking on links in outlook. Yes, or even despite a full end-to-end trust you still have the risk of a truncated script, which you'd rather not face during rm -rf /tmp/blah. Anyway we're getting out of topic here. Willy