This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Cygwin-wnpp#20050831T2001 ITP: bzr -- Next-generation distributed GNU Arch compatible version control (Python)


"Dave Korn" <dave.korn-RQamRl9Jd2/QT0dZR+AlfA@public.gmane.org> writes:

| ----Original Message----
| 
| >From: Jari Aalto
| >Sent: 31 August 2005 21:15
| 
| > B) or do this (preferred)
| > mkdir bzr ; cd bzr
| > wget -q -O - http://cygwin.cante.net/bzr/get.sh | sh
| 
| 
| Um, from a security point of view, that's one of the most appalling things
| I've ever seen suggested in my life.  Literally.  Pipe the content of some
| random file on some random internet host straight into a shell without even
| looking at it first?  Not on your life! 

Just to help "copy'n paste && quick downloaders".
But downloads need not be random. It's same as:

$ mkdir bzr ; cd bzr
$ wget -q http://cygwin.cante.net/bzr/get.sh 
$ less get.sh   #  ... inspect in detail
$ sh get.sh

There are various options how to do the download. 

You gave an idea - I'll sign the downloads scripts next time. The key
can be obtained from keyservers.

| I appreciate that you may feel your site is secure and nobody could
| possibly tamper with the file and nothing could go wrong, but that
| is still a highly risky way to distribute software.

There is also whois(1) etc. if in doubt. Running any program is risk, 
including Cygwin install scripts :-)

Jari


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]