1. Phix Linux 64 downloads

Hi all (+Pete).

Re the download/install steps for Phix on Linux, there are currently 3 separate zips we need to fetch via wget or some other method... I wondered, in the interests of simplicity, would it be possible to host a script like:

wget a18796406824d7adb9ad-267c00a47582f5b7c033a43c96868c90.r76.cf2.rackcdn.com/p64.zip 
unzip p64.zip -d phix 
rm p64.zip 
chmod +x phix/p 
phix/p -test 

At http://phix.x10.mx/downloads/p0.7.9.2-l64.sh (or whatever)? Then it would potentially be as simple as this for users to download and install it:

curl -sSL http://phix.x10.mx/downloads/p0.7.9.2-l64.sh | bash 

Note, the single zip in my script is the combined result of http://phix.x10.mx/phix.0.7.9.1.zip, http://phix.x10.mx/phix.0.7.9.2.zip and http://phix.x10.mx/p64 ... it was just something I was trying out.

new topic     » topic index » view message » categorize

2. Re: Phix Linux 64 downloads

monsieurb said...

curl -sSL http://phix.x10.mx/downloads/p0.7.9.2-l64.sh | bash 

Please do not do this.

Please do not ever do this.

Signed,

A concerned Linux user. pleased

-Greg

new topic     » goto parent     » topic index » view message » categorize

3. Re: Phix Linux 64 downloads

monsieurb said...

would it be possible to host a script

well, http://phix.x10.mx/download.php (after clicking linux then 64-bit) already says this

    mkdir -p phix 
    rm -r phix 
    wget http://phix.x10.mx/phix.0.7.9.1.zip 
    wget http://phix.x10.mx/phix.0.7.9.2.zip 
    wget http://phix.x10.mx/p64 
    unzip phix.0.7.9.1.zip -d phix 
    unzip phix.0.7.9.2.zip -d phix 
    mv p64 phix/p 
    cd phix 
    chmod 777 p 
    ./p -test 

and asks if it would be helpful to put that in a setup64.sh, and I wasn't particularly opposed to doing that, if ever asked.

But, I always doubted it would be helpful (why not just paste the above into a script file?), and one more thing for me to get wrong, and then:

ghaberek said...
monsieurb said...

curl -sSL http://phix.x10.mx/downloads/p0.7.9.2-l64.sh | bash 

Please do not do this.

Please do not ever do this.

Signed,

A concerned Linux user. pleased

-Greg

Are you just saying that is a really dangerous thing to do?

new topic     » goto parent     » topic index » view message » categorize

4. Re: Phix Linux 64 downloads

ghaberek said...

Please do not ever do this.

OK, but why not? We're missing a few things in any case (checksums, a secure connection).

If I manually copy the commands and run them, I'm still trusting the payload is safe and that nothing malicious lurks in the executables. Also, when I see a tool that recommends installing the latest and greatest via a curl -sSL http://some.resource | bash type of approach, I remain fully at liberty to inspect that script first of all.

Having used Phix a few times, I now trust it and its author. If through no fault of Pete his site is compromised, well, the weak point in the chain is not necessarily the bash script itself.

petelomax said...

But, I always doubted it would be helpful (why not just paste the above into a script file?)

In a word, convenience. If phix.x10.mx/latest.sh always 'pointed' to the latest version, my provisioning script can use that and it doesn't need to have a hard-coded version number.

With all this said, if there are grave concerns and I'm anyway the only one so far seeking this, I don't mind sticking to the existing approach one bit smile

new topic     » goto parent     » topic index » view message » categorize

5. Re: Phix Linux 64 downloads

ghaberek said...

Please do not ever do this.

monsieurb said...

OK, but why not? We're missing a few things in any case (checksums, a secure connection).

Good points.

monsieurb said...

Also, when I see a tool that recommends installing the latest and greatest via a curl -sSL http://some.resource | bash type of approach, I remain fully at liberty to inspect that script first of all.

If you wget the script and then inspect it, and then (after verifying that it is okay) run the saved contents, that is probably safer.

It is known how to alter the contents of the script depending on if it is being viewed in a browser on a webpage vs being executed on a command line. (IIRC this involved injecting a sleep command followed by an HTTP GET request and then checking the timing of the GET request to see how long the delay was.)

monsieurb said...

Having used Phix a few times, I now trust it and its author. If through no fault of Pete his site is compromised, well, the weak point in the chain is not necessarily the bash script itself.

Perhaps, but why not add that extra layer of security if you can? Just because Pete's site got compromised (or maybe he was hit by a truck right before his domain name expired and the site now legitimately belongs to another person), that should not translate to YOUR systems being compromised too.

monsieurb said...

In a word, convenience.

Yes, those two have always been at odds with one another. )-:

new topic     » goto parent     » topic index » view message » categorize

6. Re: Phix Linux 64 downloads

petelomax said...

Are you just saying that is a really dangerous thing to do?

That is what I and a lot of others are saying, yes.

And that's just from the first two pages of Google results.

-Greg

new topic     » goto parent     » topic index » view message » categorize

7. Re: Phix Linux 64 downloads

monsieurb said...

If I manually copy the commands and run them, I'm still trusting the payload is safe and that nothing malicious lurks in the executables. Also, when I see a tool that recommends installing the latest and greatest via a curl -sSL http://some.resource | bash type of approach, I remain fully at liberty to inspect that script first of all.

Fun fact: I can feed you a different file from my web server based on the "User Agent" string coming in on the request. So if you're using a desktop browser I'll send you the "clean" script, but if you're using cURL I'll send you the "dirty" script, and you might not ever be suspicious because you "checked" the script in the browser first. Read through some of those articles I posted to see the various tricks attackers can use to trick you into using a seemingly-legitimate script.

monsieurb said...

With all this said, if there are grave concerns and I'm anyway the only one so far seeking this, I don't mind sticking to the existing approach one bit smile

What I'm offering is generic advice: if you want or need to use an install script, download it first and inspect it, then run it manually with bash.

-Greg

new topic     » goto parent     » topic index » view message » categorize

Search



Quick Links

User menu

Not signed in.

Misc Menu