Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
devmor 2 days ago

I like this. Convincing people not to pipe remote scripts to their shell seems like a lost battle, so making it safer to do is a very good mitigation strategy.

superkuh 2 days ago | parent [-]

Indeed. curl | sh is literally the #1 recommended and most common way to install the rust development toolchain (because it changes too rapidly to effectively be in any repos). It's crazy that a language that prioritizes security so highly in it's design itself is only compiled through such insecure methods.

Ref: https://www.rust-lang.org/tools/install

    >Using rustup (Recommended)

    >It looks like you’re running macOS, Linux, or another Unix-like OS. To download Rustup and install Rust, run the following in your terminal, then follow the on-screen instructions. See "Other Installation Methods" if you are on Windows.

    >curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
kibwen 2 days ago | parent | next [-]

> such insecure methods

No, your security model is flawed. curl-to-bash is equivalent to running arbitrary code on your device. If the Rust developers wanted to root you, they could easily just put the backdoor into the compiler binary that you are asking to receive from them.

mustache_kimono 2 days ago | parent | prev | next [-]

> curl | sh is literally the #1 recommended and most common way to install the rust development toolchain

Rust provides a uniform way to install on any Unix you say? Compared to polyglot boarding house which is Linux package management?

> because it changes too rapidly to effectively be in any repos

rustup is also installable via your package manager, but, if it isn't, that's kinda your own distro's problem. The problem is that Linux is non-uniform. The problem is not Rust for providing a uniform, lowest common denominator, method for Unix. Notice Windows doesn't have the same problem.

See: https://rust-lang.github.io/rustup/installation/other.html

> It's crazy that a language that prioritizes security so highly in it's design itself is only compiled through such insecure methods.

Compiled?

Please explain the material security differences between the use of rustup.rs method vs. using a package manager.

I'll wait.

goku12 2 days ago | parent | prev [-]

That's a misunderstanding. You can completely avoid the curl bash pattern if you can install the rustup binary and setup the relevant environment variables (like PATH) manually. Everything else, including cargo and various toolchain versions are installed and managed by rustup. And rustup doesn't have as much churn as the rest of the tools. So, rustup can be (and is) packaged for many distributions. That's all that's necessary in practice. They recommend curl bash because it automates all the above in a single script without exposing such lengthy explanations to a beginner.

pixelesque 2 days ago | parent | next [-]

What exactly are you arguing?

The Parent poster is arguing that the "recommended" way documented on the Rust website to install rustup is using curl bash, and you're saying "it's possible to do things manually".

How is that helpful to the vast majority of the people on Mac/Linux trying to install Rust from scratch and reading the instructions on the website?

goku12 2 days ago | parent | next [-]

> What exactly are you arguing?

This part:

> ... to install the rust development toolchain (because it changes too rapidly to effectively be in any repos)

Rust toolchain is installed using rustup, not curl bash. It's rustup that's installed using curl bash. And while the site does recommend it, installing rustup alone securely is far easier than the entire toolchain.

> How is that helpful to the vast majority of the people on Mac/Linux trying to install Rust from scratch and reading the instructions on the website?

If you're concerned about running a remote script, just check how much work the script actually does. If it's not much, it may be worth exploring the alternative ways for it. For example, the rustup package in Arch Linux [1] does the same thing as what you get from curl bash.

I have mise installed - another package which recommends installation using curl bash. But I don't use it, because it's really easy to install it manually. And when some other tool recommends curl bash, I check if it's supported by mise. As it turns out, rustup can be installed using mise [2].

[1] https://wiki.archlinux.org/title/Rust#Arch_Linux_package

[2] https://mise.jdx.dev/lang/rust.html

navels 2 days ago | parent | prev [-]

same parent had said "It's crazy that a language that prioritizes security so highly in it's design itself is only compiled through such insecure methods."

2 days ago | parent | prev | next [-]
[deleted]
superkuh 2 days ago | parent | prev [-]

>You can completely avoid the curl bash pattern if you can install the rustup binary and setup the relevant environment variables (like PATH) manually.

Are you saying that if you avoid the curl bash pattern then you can avoid the curl bash pattern? This is true, and trivial, and completely irrelevant to what the rust website recommends and what most people do.

There's definitely been a misunderstanding. The misunderstanding is that you think people are installing rust from rustup from their repos. The website shows you this is not the most common case.

I do get your point that it doesn't have to be this way anymore. That rustup itself could be in repos and still work (even rustc/etc can't). But this is not not how it has been done for rust's entire existence and change is slow and hard. Is there a single distro that does do this now?

kibwen 2 days ago | parent | next [-]

> That rustup itself could be in repos and still work

So surely you acknowledge that rustup not being in any given distro's repo isn't something that the Rust developers have control over? How do you expect the Rust devs to distribute the compiler? If you want to build from source, that's extremely easy. For people who want convenient binaries, Rust also offers binaries via the most convenient means available, which is curl-to-bash. This isn't a security flaw any more than running the compiler itself is.

veber-alex 2 days ago | parent | next [-]

rustup is available on plenty of distros now, and it's on homebrew in macOS.

The Rust docs should really offer installation methods other than curl | sh. Not from a security standpoint (I think that's nonsense) but I just don't like polluting my system with random stuff that is not managed by a package manager.

Edit: Yes, there is an "other installation methods" link, but the text makes it sound like it is only applicable for Windows.

shadowgovt 2 days ago | parent | prev | next [-]

This is probably the key idea in this specific context: the tool you're downloading is a compiler. If you don't trust the bash script hosted by the compiler's creators (assuming you're properly certificate-checking the curl connection and not bypassing TLS), why would you trust the compiler binary it's trying to install?

superkuh 2 days ago | parent [-]

I trust Debian to vet and package things in a way that won't break my desktop. I don't trust the Rust organization because their goals are very different.

mustache_kimono 2 days ago | parent | next [-]

> I trust Debian to vet and package things in a way that won't break my desktop.

Um, has there been some instance where rustup broke a desktop? And I'm assuming Debian has actually delivered on this worst case scenario?

shadowgovt 2 days ago | parent [-]

Debian's done a pretty good job here. If you run unstable you'll get up to Rust 1.85 (whereas the project home will get you 1.88).

Of course, it's Debian; stable is alllll the way back on 1.63, state of the art in 2022.

mustache_kimono 2 days ago | parent [-]

> Debian's done a pretty good job here.

I meant I bet Debian has broke desktops with a simple `apt update`. Whereas show me where rustup has broken a desktop?

shadowgovt 2 days ago | parent | prev [-]

I'm not sure how that's relevant for rust. I'm trying to think of a way they could distribute the rust toolchain that would break your desktop; does your desktop have a native rust install that other pieces of the distro are relying on to have a particular configuration (like the gcc most distros ship with) that a curl | bash installed toolchain would interfere with?

superkuh 2 days ago | parent | prev [-]

>you acknowledge that rustup not being in any given distro's repo isn't something that the Rust developers have control over

The lack is a consequence of the type of language rust developers chose to be. One that is constantly, rapidly (over just a few months) changing itself in forwards incompatible ways. Other languages don't really have this problem. Even c++ you only have breaking changes every 3-4 years which can be handled by repos. But 3 months old rustc in $distro repos is already fairly useless. Not because rust is a bad language, but because the types of people that write in rust are all bleeding edge early adopters and always use $latest when writing. In another decade or so when the rust developer demographics even out a bit it will probably be okay.

goku12 2 days ago | parent | prev [-]

> The misunderstanding is that you think people are installing rust from rustup from their repos.

No. The misunderstanding is that you decided that I was talking about how people choose to install rustup, while I didn't even mention it. My reply was entirely about how the entire rust toolchain doesn't have to be in the distro repo. Here's the part in the original comment that I was referring to as a misunderstanding:

> to install the rust development toolchain (because it changes too rapidly to effectively be in any repos).

> This is true, and trivial, and completely irrelevant to what the rust website recommends and what most people do.

Irrelevant to you perhaps. But it's a relevant detail if you're an individual user/developer who cares about security. It's easy to entirely skip the curl bash pattern for rust if you care enough.

The question of why the website recommendeds it is moot because they wrote the script and vetted it among themselves. They have no reason to mistrust it. Meanwhile, the security culture of the user is not really their concern. It's not unreasonable for them to expect you to read a bash script before you download it from the net and execute it. I did, and that's how I realized that there are alternatives.

If you think that it's unreasonable, look at how many projects, including programming languages recommend the same. The prevailing sentiment among the devs is clear - "Here's a script to do it easily. We haven't put anything harmful in it. But we assume that that's not enough guarantee for you. So just check the script first. It's just non obfuscated bash". I almost always find ways to avoid the curl bash step whenever a project recommends it.

> Is there a single distro that does do this now?

Enjoy the following articles in the Arch Linux, Gentoo and Debian wikis discussing the exact topic. Not only do they have rustup packaged in their repo, rustup even has build configurations to make it behave nicely with the rest of system in such a scenario (like following the FHS and disabling self updates).

[1] https://wiki.archlinux.org/title/Rust#Arch_Linux_package

[2] https://wiki.gentoo.org/wiki/Rust#Rustup

[3] https://wiki.debian.org/Rust