Remix.run Logo
shitter 3 hours ago

The user's code folder? You mean the code I frequently pull from untrusted sources, unlike my .bashrc? Opening a GitHub project for review should not mean arbitrary code execution.

Of course, that ship has long sailed, for all major IDEs. Heck, VSCode SSH and devcontainer remotes allow RCE by design.

paxys 23 minutes ago | parent | next [-]

The entire point of Cursor is to run autonomous coding agents. You are giving it a random untrusted repo, saying "hey it might have a virus, go crazy" and then getting mad that it caused harm?

Check (and double check and triple check) your sources. If a malicious executable made it to your computer it is already too late.

taneq 2 hours ago | parent | prev [-]

I’ve never got my head around how it’s apparently the done thing these days to just copy a bash command from a website and run it (sometimes with sudo! O.o ) to install software. I somewhat naively hope that this is because everyone is pushing single purpose VMs for that kind of install, but really I know better.

petalmind an hour ago | parent | next [-]

> to just copy a bash command from a website and run it (sometimes with sudo! O.o ) to install software.

how is that different from the good old days of

    wget ftp://ftp.something.org/software-2.10.tar.gz
    tar zxfv 
    ./configure
    make
    sudo make install

?
Terr_ 28 minutes ago | parent [-]

Training people (esp. what passes for non-techies on Linux) to regularly copy-paste into the terminal is massively riskier than "click this URL". Just for starters, consider how easily you can make a web-page where you highlight X to copy it, but instead Y is delivered to your clipboard. Then on execute it could even redraw the terminal to pretend you pasted X all along.

Also, there's a convention or social-contract that everyone who downloads 2.10 ought to get precisely the same thing. This provides a foundation for other facets of security, like "it must have an expected hash" or "it must validate as signed by this public key". Also investigative actions like discovering when something suspicious got added, or detecting that the installer is trying to access the internet when it really shouldn't be.

paxys 29 minutes ago | parent | prev [-]

How is it different from downloading and running the application itself from that website?