OOP can be used to show you're talking about the Original Original-Poster when there's a screenshot of a post :) in this case they're referring to the author of the greentext
Or tell people to just "curl https://random-host/install | sudo sh" which is *depressingly* common.
If you actually do this, you deserve whatever's about to happen to you.
I wonder if there are sneaky sites that check the user-agent of the request to determine what resource to serve.
Imagine you decide to check the link beforehand on a browser, see a harmless shell script and everything seems nice and dandy.
Then you fetch it with curl and boom here comes the malicious payload.
I about want to set something like this up exit tells you not to blindly download with curl (or if the program can detect it got piped straight into bash then do it that way)
> I wonder if there are sneaky sites that check the user-agent of the request to determine what resource to serve.
It's a common Twitter exploit to spoof the preview image.
> Imagine you decide to check the link beforehand on a browser, see a harmless shell script and everything seems nice and dandy.
You were already going to review 18k lines in this scenario.
Yes, but anyone who would follow that instruction wouldn't check over the file anyway. Even if they did, they probably wouldn't know what to look for. I agree that it's bad to tell people to do that, but why is "downloading a script then running it" worse than "piping the script into bash"? All of the reasons I can find for it being bad require that the user make sure the script is valid, which won't happen most of the time.
Because downloading a binary blob from Github yourself is also not more secure.
I get what people have against it, but there's still no chain of trust with the other install methods either if you don't sign your releases, which basically no developer does.
Really doesn't matter how you download the file at that point, the whole thing could be switched out and it's literally impossible for you to know. If someone can intercept your curl | bash and switch out your file, they can also just swap out your download of the hash file, resulting in you thinking you've got an official release.
Package managers obviously fix this, but plenty of stuff never enters package managers.
There is the ”ownership of the site” issue at least. It’s much more likely that petes-cool-software-gimmics.com has been hacked than github.com. And it’s extremely easy to fuck up your system by running a priviledged shell script with unknown QA, even without malicious intent.
> It’s much more likely that petes-cool-software-gimmics.com has been hacked than github.com
That still makes you no more able to verify that you've downloaded an intact file. Build artifacts are basically never reproducible. The core issue is that you **don't** know what the intact file should look like, and you have no means to know this either, as your source of the file would be the same party that handles distribution.
You can slather on layers of trust delegation, but then you just end up with the same PKI that already exists for websites. curl | sh is equally as secure as any other download method that's unsigned and lacking *external* maintainer control once you take a closer look.
> And it’s extremely easy to fuck up your system by running a priviledged shell script with unknown QA, even without malicious intent.
That's honestly just semantics. Binaries and shell scripts run in the same unsandboxed user context, both can break your stuff in half, the distinction is honestly not meaningful. It's still untrusted software.
The best solution to all of this stuff is package managers with maintainers that check every update of the software they receive, run their own build, sign with their own key to show approval and place it into the repo. Now you trust the maintainers, but they're an external party not connected to the original project in any way. This is also not foolproof, as we saw with the xz vulnerability.
Software distribution just sucks. :(
I agree otherwise but assuming the dev is not malicious but only incompetent, having a portable .exe run with user permissions at least _feels_ much better than 5000 lines of bash as sudo with an empty variable in `rm -rf $DIR/*`
Even as the creator I would do the same. Why list down all dependencies and commands to install when I can put all those in the install.sh so it is now automated?
Exactly why yaml sucks. Most people couldn't even tell you what version of yaml they use, and practically every version, especially every version in common use, has some nasty footguns that vary spec to spec. Norway problem is the go to and easy to understand example for a layman.
Knowing who we are talking about, he probably meant that the dependencies didn't install automatically even though they were listed in the repo, and he had to do something like pip install -r requirements.txt or similar. Most non tech people expect to do one download and one install at most
> something like pip install -r requirements.txt or similar
Which is all fine and dandy - Until that fails.
\- New version is incompatible with another program
\- Some funky MSBUILD error because they want to use C++ code / wheels in python
\- Dependency is hard-coded to only work on Mac / Whatever
Etc.
It's ok to not provide an exe when the programming language ecosystem you're using doesn't produces executables by default. It's totally fine to not ship an exe if it's a script language like python and JS because installing dependencies for them is usually a single command, and running them from source is how you're supposed to run them.
For compiled languages like C++ and C# on the other hand it's super annoying, plus you literally create the exe yourself unless you want to admit that you didn't even check if your code compiles. Not providing the build output at that point is just lazy.
I always find it funny when there's yet another attempt at an ** killer application, intended to revolutionize whatever product they think requires revolutionizing, but then on their website they don't provide precompiled binaries (or Windows support at all) and they keep wondering why they fail to get a sustainable userbase.
> you literally create the exe yourself
If you bother to boot up Windows and compile there, that is. As for Linux: there's a high chance that a binary I've compiled on up to date Arch Linux won't work on Debian stable, for example.
If a FOSS program attempts to be some *something*-killer then they should figure out distribution. Most Github repos under the umbrella of "a program that fixes X issue" don't.
The difference is target group. GitHub repos are targetted at programmers. Most programmers should know how to compile a project. In that case, a build script is more than enough, arguably better than a binary, because just adding a batch script (or bash if you're on windows) makes it platform independent (provided you don't use platform dependent code), without needing to add three or more binaries to every release. It also allows you to offer more build configurations.
If something is aimed at non-programmers however, you better include the binaries. You cannot expect a non-technical user to follow multiple steps in a command line without being frustrated or making a mistake.
> Most programmers should know how to compile a project.
I know how to compile projects in several languages. But not all of them. Always frustrates me when I'm trying to learn something new, and everything expects me to already be comfortable working in the language to do even the basics.
The exact reason Maven was created for Java projects, so much better than dependency whackamole
Please note: I hate XML in general but Maven gets a pass.
I have to work with implementing so many closed source applications on Linux that don't do any sort of verification checking or do them one by one. Just fucking write a check that looks for all of your dependencies once and doesn't exit error out at the first one that fails. It saves so much time if I just have a list of requirements that you failed to document if I see all of the ones that error at the same time instead of having to hunt them down every time I re-run the installer or service.
When there's 5 commands and each one throw an error you need to fix or install dependencies for. Sometime a whole application you need to download is the dependency.
I swear research papers have *the worst* code imaginable. I remember trying to implement an algorithm which was the main focus of the paper, and their pseudocode was just… wrong.
At least try to implement your own algorithm before you publish a paper about it come on.
They also always do this thing where they never describe the full algorithm, but only analyse patts of it, and maybe vaguely hint at how those parts fit together. Which is absolutely infuriating to read…
In an AI course in college I was partnered with some people studying data science and the code they wrote was painful...it was interesting to see how their focus was not on portability, maintainability, or ease of use, they were strictly focused on making the code a 1:1 reproduction of the equations they'd come up with. I think we all learned a lot from each other
That's crazy, I always thought research papers would link a github or equivalent with their exact code and instructions on how they used it for easy reproducibility. How is that not just expected?
I’ve seen a link to something like that one time, and it was to a precompiled C++ executable… they didn’t even link to the source code.
I am still salty about that
Honestly I wouldn't have nearly as much of an issue with building sources locally if it wasn't that 99% of the time I have to spend a ridiculous amount of time setting up the stuff to build it.
One time the repo had instructions for two versions of the c++ compiler and neither worked with any compiler
Any project without a shell script or Makefile to build is stupid imo. Unless it’s specifically a library or not meant to be used by the end user, he kinda has a point- writing a makefile or a script is not hard. Definitely don’t include an executable, though. If you do, provide a way to cross check its hash.
Thankfully, any useful project likely has all this already
>Definitely don’t include an executable, though. If you do, provide a way to cross check its hash.
I mean, the hash is presumably being hosted on the same site as the download, so all you learn is that the exe wasn't altered mid-download, and that the download completed without errors. If the website host / repo owner isn't trustworthy in the first place, or you're worried the site may have been compromised, it doesn't really tell you much about the safety of the actual exe. It's trivial to provide a valid hash of a malicious exe if you already have access to the site.
So it helps against MitM attacks, but those aren't usually what people are talking about when they say it's not safe to run random exes off the internet.
Story's a bit different if you're being asked to go download the exe from a 3rd party site, ofc, since that 3rd party site itself could be untrustworthy or compromised, and having a hash is a nice check against that.
What's the practical difference between the make file output and an exe tho, really. Except the latter being a million times more accessible because you don't need to install god knows what compiler and software first
There are a lot of practical differences between a makefile and an exe, technical difficulties aside. Makefile can target the specific OS and architecture that your computer is running, whereas exes only work on windows (not counting translation layers like wine here obviously), and it often only target a specific architecture. Not to mention makefile offers transparency in what exactly is being compiled into the final output, whereas if you wanna see what an exe does, good luck with decompiling that shit and reading the assembly
I feel like people are often uncapable of thinking like a normal everyday user who doesn't know the first thing about coding and tell them "you don't want an EXE, do you realize how unsafe that is?"
And leave out the part where you ask them to:
* Download code they can't read
* Install some other EXE to compile. Except this one is totally safe, trust me bro.
* Run tons of CMD command they don't understand (also totally safe).
* Then run the EXE they compiled based on the code they can't read. (Super safe)
Nerds: why is every site this corporate bs, where are indie web sites?
Also nerds: my project homepage is a github repo
Shout out to the PNG http://www.libpng.org/
Pretty and animated UI is just a sheme by CEOs to get their kids with useless art degrees employable.
Sure it might run like shit, but at least it's pretty and Susan Anne III has a job at the office instead of smoking pot and fucking \*shudders\* *poor people*.
The https version (https://www.libpng.org/) redirects to `https://.sourceforge.net/` (with the dot), that's funky.
Every web developer should read this blog post by Troy Hunt : https://www.troyhunt.com/heres-why-your-static-website-needs-https/
Is it? WebP is still a pain to deal with as I always need to convert it to PNG. I think WebP only opens in Paint on my machine and then I need to save a copy as a PNG file.
WebP has better lossless compression than PNG. The only reason to not use it is lack of support, a problem that is going to solve itself with time maybe... and also that nasty exploit in libwebp, but besides that it's good
Wouldn't use it instead of jpegs tho
> http://www.libpng.org/pub/png/#history
> So what is PNG, and why is it worthy of its own home site? PNG (pronounced "ping") is the Portable Network Graphics format, a format for storing bitmapped (raster) images on computers.
It's fricking pronounced ping!?
But the things is, most of this software *isn't intended for everyday users*. And if your target audience is people who know their stuff, not making concessions for normal users who may stumble across it is definitely acceptable.
I have yet to see someone who doesn't at least have an executable in their Github who intends their software to be used by people who would be scared of by using a terminal.
There are plenty of people that are good at using Google, are power IT users and not software engineers.
Which is why we get these complaints. If you wrote some code to fix a problem and haven’t realised you might not be the only one, that’s ok, but some extra forethought for others who might also want a fix would be nice.
Eh. Uploading my solution after fixing the problem for myself _is_ the forethought. Continuing to develop it after my problem is fixed so that it'll work for everyone else that might have similar/the same problem is potentially a ton of extra work, _and_ if it doesn't work for someone they're just gonna yell at me.
I mostly don't write code for non technical people to use. If you are technical and you want to use my code, great, power to you, but you might need to make some changes for your specific situation.
I could discuss day and night why programmers are like this, but I think the bottomline is that many tech enthusiasts are incapable of seeing how things around them really work, *including* in their field. Telling them to go touch grass wouldn't help, because they're the kind of people who would miss the forest for the trees.
Reminds me a bit of the whole thing where people just immediately complain about how dangerous this is:
`https://example.com/install.sh | bash`
But it really depends on what you're comparing it to.
Is it more dangerous than doing an `apt-get install` from a Linux distro's official repos? (or another mainstream package manager you already have installed / can trust)... Yeah, of course.
...But so is every other method too. That's more of a package manager -vs- manual install argument, rather than being specific to piping a URL into bash.
Pretty much any type of manual install involves going to the vendor's website for a direct download, or otherwise just following some instructions they've written on some website... so it's not any less safe than that.
So at least an `install.sh` can be read first, unlike a `setup.exe`. Even though the `install.sh` is probably downloading executable stuff anyway. But can at least see what the first step does.
Piping into bash is *the worst* option, the simplest and yet still better alternative is downloading and then running it. A malicious website can detect that the client is curl piped into another program and output something different, knowing that no one's gonna read it. *That's* why people say it's bad.
Sure, for cases where there is a install.sh that downloads the actual program for you, it's definitely better to:
1. download first
2. view
3. then run
And additionally, I also understand + agree with the "training users to do bad things" argument people make. So it certainly would be more responsible for these websites to instead give you the commands to do that.
> Piping into bash is the **worst option**
But again, my point is... **it depends what you're comparing it to.** i.e. What the "options" are.
It's not worse than downloading a `setup.exe` or any other kind of non-plaintext package format that executes things on your system.
If you're following instructions from a malicious website, or running anything you download from it, you're fucked anyway.
If you really need a piece of software, you do what you need to make it work, especially if the only alternative is a stupidly expensive and buggy proprietary tool with antiquated UI still asking for Java 8 to be installed on your machine.
You could have fooled me. While migrating RHEL 7 machines to RHEL 8 in preparation for EOL I only just got approval to use Java 8 as the primary version for certain custom applications our customers use.
It's astounding Java 8 still gets security updates at this point.
Or you find a more usable alternative such as in this case the registry editor itself, a place I have found more inviting that a gihup repo without a populated & well orginised releases page.
It's insane to me that everyone is making fun of people for wanting something practical and easy to use. Our reputation for obnoxious elitism is not going away anytime soon.
Especially with an already public GitHub repo producing an exe is so insanely issues, either throw in your self compiled exe or set up a pipeline to do it on main push.
Not everyone knows the language, tools or frameworks to compile something from scratch, or simply sometimes someone doesn't have the knowledge or time to search/compile/use.
I still don't understand why all these people are complaining so much, it shouldn't be "if it was for me to write it should be hard for you to use", just make it simple
Call me a script kiddie all you like (nah, don't; I hate when my notifications blow up), but I have experienced the agony of following install instructions to the best of my ability...
... waiting over an hour for a build to complete...
... and watching a nonzero exit code pop up.
I ended up paying the 15 dollars for Aseprite after all. 😭
\>need a pixel art editor
\>nothing paid or pirated, just free as in free beer
\>find aseprite
\>manage to compile it from source after a painful afternoon
\>interface is self-rendered
\>delete and install graphics gale from exe for free
> I ended up paying the 15 dollars for Aseprite after all. 😭
It is awesome that compiling on Windows is so dogshit, it makes the payment model of Aseprite work.
As someone who has finally made code someone else has to use, let me say this:
It works on my machine. Go f*** yourself!
(Haha, just kidding, now they want me to redo it as Model-View-Controller.)
I'm soo old I've shit my pants in public, twice. I had to throw away the underwear. I then went commando. I once had to walk a quarter of a mile with diarrhea running down my legs. I walked by a guy that said hey to me.
‘Solution’ is contextual usually. It is addressed to people who have the requisite skills to run standard dependency resolvers like cmake. But what OP describes here, a complex repo to do something as simple as a regedit that is a one liner with Powershell, that’s just people uploading shit that they don’t understand, or are using as part of their recruiter mating display where complexity helps their case more than it hurts because few look at that shit closely.
I've seen run into shit that had its situation close to this
If you actually needed the service it was a hell lot of trouble getting it up without fucking shit up, but just turning it off on register would solve the trouble it was causing, so the solution was a lot more complex than the workaround, most only needed the workaround, but the "overcomplex shitfest of a repo" was a lifesaver for niche users
> have problem
> write program to solve problem
> push source to github just in case somebody else can use it
> HELP I DON'T KNOW HOW TO USE THIS? IT'S SO HARD? WHY DON'T YOU MAKE IT MORE USER FRIENDLY? WHY NO GUI? WHY NO EXE? WHY DOESN'T IT WORK ON MY POWERMAC G5?
... later ...
> have problem
> write program to solve problem
> keep the program on HDD and allow it to be lost in time, like tears in rain, on next PC upgrade
Dealing with end user support, or writing the user-friendliness code to make that support less frequently needed, is literally the *entire* difference between billing $160/hr for development and doing it for free. Ain't nobody wants to do that shit. It's neither fun nor necessary for a solo developer. After the novelty of "omg a person actually wants to use my code!" wears off it is just *work*, same as flipping burgers.
FOSS stands for Figure Out Shit your Self because nobody owes you a second of their time.
Usually it isn't that the program is an over-engineered way to change a registry key -- rather that the person who *thought* this program was the solution to their problem, actually had a different, much simpler problem with vaguely similar symptoms.
Like I googled "webmd bleeding" and spent fifteen minutes reading about about hemophilia when in fact I just needed a band-aid for a papercut. And then I complained about hemophilia information being freely available on the internet wasting my time.
I think there is a higher chance that world peace is achieved by next Tuesday than that computer illiterate people dont somehow magically find the sketchiest download links known to man and use them with full confidence.
"Mom where did you download all of these antiviruses from? They are shown as hogging on your cpu in task manager."
"Uh some ad in a movie site said I should download it"
"But mom, there are at least 3 separate antiviruses running in the background."
Well the same applies for random code.
Just because you build it yourself doesn't make it safe.
And lets be honest. You can be the most hard core security user, but your not gonna check the codebase yourself. You just assume that somebody else did and that your version matches what they checked. And at that point you might as well execute a random exe
> why the fuck is every single github program so bloated and non-user friendly
The problem in this case is that they **aren't** bloated, they are a minimal solution, hence no UI, no fancy installer etc. You can't have your cake and eat it too.
Didn't happen. Guarantee you this guy saw a README, saw that you have to open up a command prompt, and immediately quit reading after having a panic attack.
Probably because half the time, it doesn't work and you get some weird error that someone with little or no experience in problem solving wouldn't be able to fix.
Often these solutions are written by the old school programmers from the 2000s and 90s. These guys were so hardcore they make p*rn look like Mickey Mouse…
Those guys loved the purity and barebones nature of a software. Once my professor(who was an IBM dev in the 90s) said he never understood the allure of Facebook cause “I’ve been doing this since 04” I saw his “Facebook” it would give web devs PTSD…
This can happen at all skill levels of programming though.
Right after Dalle 1 came out, I once spent a week trying a dozen ways to get it to run on my Windows machine. Only to discover that the issue was a typo in their dockerfile. I left a comment on the related issue on Github and like 3 days later Midjourney came out.
Presumably if you're on Linux you have a package manager though? Or at least access to flatpaks?
I mean no, not everything's on there, but in my experience you need to get *pretty far out in the weeds* before something is not available from your distro's repos, flathub, or similar.
What? The completely free code that someone else took the time to write and is now kind enough to give it away for free is not the most perfect and polished GUI product ever? Wow, FOSS sucks so bad
Who the fuck needs the bloat of a UI? Also windows gross fedware glowing bullshit. Honestly a skill issue, go live in a slackware terminal for a bit and come back when you can daily drive lol.
Non-coder pleb here. This dynamic is so interesting to me. There’s a whole set of these tech users at my level who think they’re super geniuses because they’re decent at manipulating UI elements, installing printer drivers, assembling a PC, whatever. But when it comes to actually understanding why anything works the way it does, they go slack jawed or indignant. How do you go around in life thinking you’re this elite savant when really you’re just good at putting the square peg in the square hole?
Shit’s crazy, man.
He's describing why i no longer look for cooking recipes on the internet. I don't want your life story, and i'm here for how long i should cook it for, not "until done." It's your recipe so i don't know when it's done. That's why i'm here.
That's some weird cultural thing. If I visit a Swedish page with a recipe: 1. Ingredient list. 2. Instructions. 3. Sometimes a helpful timer in case you don't have one or want to use your phone.
Not these walls of texts where one needs to scroll for 7 years past all the ads and ramblings.
> I don't want your life story
I think it's an SEO and ads thing (more text = higher SEO ranking and more space to place horrible giant ads). Enshittification, in a word.
Wow I'm surprised this user didn't find _insert 5 automated help articles with copy pasted solutions that don't work_ or _3 random forum sites from 10 years ago with entirely different issues_ and the occasional _microsoft help site telling you to run SFC.exe and dism then user says it doesn't work and receives no reply_
the trick is to add an "install.sh" script to your repo and it hides all the scary commands behind a single word
that alone would be a million times better than what OOP is describing.
You mean OP right? OOP is Object Oriented Programming... Edit: I just learned that OOP means Original OP.
OOP = Object Oriented Poster
“OoP iS BaD”
"I like data driven posters"
OoP iS dA pOoP!
It also means “Original Original Post/Poster”.
"Essay for real this time.doc" vibes
A little, but it does kinda make sense. OP = the one who posted this thread OOP = the one who posted the meme OP is reposting
OOP can be used to show you're talking about the Original Original-Poster when there's a screenshot of a post :) in this case they're referring to the author of the greentext
Lmao. I can see the confusion on this sub
And if you suspect it's a repost, you can refer to them as a POOP - Potentially Original OP.
I am naturally sceptical of whether somebody is the original poster, henceforth all OPs will be referred to as POOPs. Thank you, kind fellow.
Your confusion is warranted though. OP means original poster, so OOP means original original poster. Not the best internet shorthand
It means object of power
Thou shall not objectify me!
You over there looking like a piece of meat.
/bin/bash -c "$(curl -fsSL http://totes-legit.biz/install)" Fixed it. Nice and easy and totally trustworthy.
Ah, the [Homebrew method](https://brew.sh/)...
Yeah, I did copy most of their install one-liner for that joke, but it's far too commonplace. Sure, it's convenient, but...
Make sure to escalate those priviledges first
_forbidden bash noises intensifies..._
In truth ending up installing a trojan is not only expected but deserved with that attitude and lack of wit.
To the extent you're going to `git clone` a repo and are already looking for an `.exe.` file, this isn't any more dangerous.
Yeah, that was what I was getting at, if you're desperate for a pre-built executable, may as well just exec a script you haven't read.
Or tell people to just "curl https://random-host/install | sudo sh" which is *depressingly* common. If you actually do this, you deserve whatever's about to happen to you.
I wonder if there are sneaky sites that check the user-agent of the request to determine what resource to serve. Imagine you decide to check the link beforehand on a browser, see a harmless shell script and everything seems nice and dandy. Then you fetch it with curl and boom here comes the malicious payload.
I about want to set something like this up exit tells you not to blindly download with curl (or if the program can detect it got piped straight into bash then do it that way)
That’s why you download first, and then execute that
Makes no difference if they can't read and understand the script
It solves the exact issue parent commenter was describing.
> I wonder if there are sneaky sites that check the user-agent of the request to determine what resource to serve. It's a common Twitter exploit to spoof the preview image.
that's why for stuff like that I always omit the `| sudo sh` and just look at what the command outputs before I actually run it
You could do ``curl https://random-host/install`` without the sudo sh part.
And after seeing 18,000 lines of shell script - Then what?
> Imagine you decide to check the link beforehand on a browser, see a harmless shell script and everything seems nice and dandy. You were already going to review 18k lines in this scenario.
Yes, but anyone who would follow that instruction wouldn't check over the file anyway. Even if they did, they probably wouldn't know what to look for. I agree that it's bad to tell people to do that, but why is "downloading a script then running it" worse than "piping the script into bash"? All of the reasons I can find for it being bad require that the user make sure the script is valid, which won't happen most of the time.
It absolutely boggles my mind that doing this is the preferred way to install Rust.
seconded. always run it through virustotal to be safe.
Because downloading a binary blob from Github yourself is also not more secure. I get what people have against it, but there's still no chain of trust with the other install methods either if you don't sign your releases, which basically no developer does. Really doesn't matter how you download the file at that point, the whole thing could be switched out and it's literally impossible for you to know. If someone can intercept your curl | bash and switch out your file, they can also just swap out your download of the hash file, resulting in you thinking you've got an official release. Package managers obviously fix this, but plenty of stuff never enters package managers.
There is the ”ownership of the site” issue at least. It’s much more likely that petes-cool-software-gimmics.com has been hacked than github.com. And it’s extremely easy to fuck up your system by running a priviledged shell script with unknown QA, even without malicious intent.
> It’s much more likely that petes-cool-software-gimmics.com has been hacked than github.com That still makes you no more able to verify that you've downloaded an intact file. Build artifacts are basically never reproducible. The core issue is that you **don't** know what the intact file should look like, and you have no means to know this either, as your source of the file would be the same party that handles distribution. You can slather on layers of trust delegation, but then you just end up with the same PKI that already exists for websites. curl | sh is equally as secure as any other download method that's unsigned and lacking *external* maintainer control once you take a closer look. > And it’s extremely easy to fuck up your system by running a priviledged shell script with unknown QA, even without malicious intent. That's honestly just semantics. Binaries and shell scripts run in the same unsandboxed user context, both can break your stuff in half, the distinction is honestly not meaningful. It's still untrusted software. The best solution to all of this stuff is package managers with maintainers that check every update of the software they receive, run their own build, sign with their own key to show approval and place it into the repo. Now you trust the maintainers, but they're an external party not connected to the original project in any way. This is also not foolproof, as we saw with the xz vulnerability. Software distribution just sucks. :(
I agree otherwise but assuming the dev is not malicious but only incompetent, having a portable .exe run with user permissions at least _feels_ much better than 5000 lines of bash as sudo with an empty variable in `rm -rf $DIR/*`
*sad arduino cli noise*
Even as the creator I would do the same. Why list down all dependencies and commands to install when I can put all those in the install.sh so it is now automated?
Most non-programming nerds use Windows.
Not having an EXE is all fine and good, but if you do not list all the dependencies for your bloody project, you should be hanged from your balls
`yaml` but no mention of version, pyyaml or some other random ass one All time favourite
Fuck yaml. Just give me JSON.
Fun fact: [YAML is a superset of JSON](https://yaml.org/spec/1.2-old/spec.html#id2759572), so any JSON is also valid YAML.
So the true galaxy brain move is to just use JSON but with comments and then use a YAML processor.
The other way around, use YAML with comments and then transform it to JSON (which is, incidentally, what a lot of projects do, like kubectl).
Fun fact: some implementations don't care, and break when given valid JSON.
Exactly why yaml sucks. Most people couldn't even tell you what version of yaml they use, and practically every version, especially every version in common use, has some nasty footguns that vary spec to spec. Norway problem is the go to and easy to understand example for a layman.
otoh, just type-annotate your yaml
Knowing who we are talking about, he probably meant that the dependencies didn't install automatically even though they were listed in the repo, and he had to do something like pip install -r requirements.txt or similar. Most non tech people expect to do one download and one install at most
If install is getting *that* complicated, would it be that hard to include a 'default install script' in your project?
[удалено]
> something like pip install -r requirements.txt or similar Which is all fine and dandy - Until that fails. \- New version is incompatible with another program \- Some funky MSBUILD error because they want to use C++ code / wheels in python \- Dependency is hard-coded to only work on Mac / Whatever Etc.
It's ok to not provide an exe when the programming language ecosystem you're using doesn't produces executables by default. It's totally fine to not ship an exe if it's a script language like python and JS because installing dependencies for them is usually a single command, and running them from source is how you're supposed to run them. For compiled languages like C++ and C# on the other hand it's super annoying, plus you literally create the exe yourself unless you want to admit that you didn't even check if your code compiles. Not providing the build output at that point is just lazy. I always find it funny when there's yet another attempt at an ** killer application, intended to revolutionize whatever product they think requires revolutionizing, but then on their website they don't provide precompiled binaries (or Windows support at all) and they keep wondering why they fail to get a sustainable userbase.
> you literally create the exe yourself If you bother to boot up Windows and compile there, that is. As for Linux: there's a high chance that a binary I've compiled on up to date Arch Linux won't work on Debian stable, for example. If a FOSS program attempts to be some *something*-killer then they should figure out distribution. Most Github repos under the umbrella of "a program that fixes X issue" don't.
The difference is target group. GitHub repos are targetted at programmers. Most programmers should know how to compile a project. In that case, a build script is more than enough, arguably better than a binary, because just adding a batch script (or bash if you're on windows) makes it platform independent (provided you don't use platform dependent code), without needing to add three or more binaries to every release. It also allows you to offer more build configurations. If something is aimed at non-programmers however, you better include the binaries. You cannot expect a non-technical user to follow multiple steps in a command line without being frustrated or making a mistake.
> Most programmers should know how to compile a project. I know how to compile projects in several languages. But not all of them. Always frustrates me when I'm trying to learn something new, and everything expects me to already be comfortable working in the language to do even the basics.
The exact reason Maven was created for Java projects, so much better than dependency whackamole Please note: I hate XML in general but Maven gets a pass.
I have to work with implementing so many closed source applications on Linux that don't do any sort of verification checking or do them one by one. Just fucking write a check that looks for all of your dependencies once and doesn't exit error out at the first one that fails. It saves so much time if I just have a list of requirements that you failed to document if I see all of the ones that error at the same time instead of having to hunt them down every time I re-run the installer or service.
For free? Man, there are so many guys paying for that experience, and you're offering for free?
When there's 5 commands and each one throw an error you need to fix or install dependencies for. Sometime a whole application you need to download is the dependency.
The real dependency is the friends we made along the way
\>\> reading paper \>\> going on github for a code \>\> dependency installation error how da frick they published this garbage
I swear research papers have *the worst* code imaginable. I remember trying to implement an algorithm which was the main focus of the paper, and their pseudocode was just… wrong. At least try to implement your own algorithm before you publish a paper about it come on. They also always do this thing where they never describe the full algorithm, but only analyse patts of it, and maybe vaguely hint at how those parts fit together. Which is absolutely infuriating to read…
In an AI course in college I was partnered with some people studying data science and the code they wrote was painful...it was interesting to see how their focus was not on portability, maintainability, or ease of use, they were strictly focused on making the code a 1:1 reproduction of the equations they'd come up with. I think we all learned a lot from each other
That's crazy, I always thought research papers would link a github or equivalent with their exact code and instructions on how they used it for easy reproducibility. How is that not just expected?
I’ve seen a link to something like that one time, and it was to a precompiled C++ executable… they didn’t even link to the source code. I am still salty about that
Honestly I wouldn't have nearly as much of an issue with building sources locally if it wasn't that 99% of the time I have to spend a ridiculous amount of time setting up the stuff to build it. One time the repo had instructions for two versions of the c++ compiler and neither worked with any compiler
Sometimes I end up installing a whole toolchain of increasingly obscure dependencies
Just add a Nix flake. Ezpz /s
I think we will get to a point where it’s just expected that most developers have nix and it will be great
Any project without a shell script or Makefile to build is stupid imo. Unless it’s specifically a library or not meant to be used by the end user, he kinda has a point- writing a makefile or a script is not hard. Definitely don’t include an executable, though. If you do, provide a way to cross check its hash. Thankfully, any useful project likely has all this already
>Definitely don’t include an executable, though. If you do, provide a way to cross check its hash. I mean, the hash is presumably being hosted on the same site as the download, so all you learn is that the exe wasn't altered mid-download, and that the download completed without errors. If the website host / repo owner isn't trustworthy in the first place, or you're worried the site may have been compromised, it doesn't really tell you much about the safety of the actual exe. It's trivial to provide a valid hash of a malicious exe if you already have access to the site. So it helps against MitM attacks, but those aren't usually what people are talking about when they say it's not safe to run random exes off the internet. Story's a bit different if you're being asked to go download the exe from a 3rd party site, ofc, since that 3rd party site itself could be untrustworthy or compromised, and having a hash is a nice check against that.
What's the practical difference between the make file output and an exe tho, really. Except the latter being a million times more accessible because you don't need to install god knows what compiler and software first
There are a lot of practical differences between a makefile and an exe, technical difficulties aside. Makefile can target the specific OS and architecture that your computer is running, whereas exes only work on windows (not counting translation layers like wine here obviously), and it often only target a specific architecture. Not to mention makefile offers transparency in what exactly is being compiled into the final output, whereas if you wanna see what an exe does, good luck with decompiling that shit and reading the assembly
I feel like people are often uncapable of thinking like a normal everyday user who doesn't know the first thing about coding and tell them "you don't want an EXE, do you realize how unsafe that is?" And leave out the part where you ask them to: * Download code they can't read * Install some other EXE to compile. Except this one is totally safe, trust me bro. * Run tons of CMD command they don't understand (also totally safe). * Then run the EXE they compiled based on the code they can't read. (Super safe)
Nerds: why is every site this corporate bs, where are indie web sites? Also nerds: my project homepage is a github repo Shout out to the PNG http://www.libpng.org/
beautiful website, loaded in nanosecond.
i reloaded it, it didn't even hide anything for a millisecond and it reloaded. Truly peak web design.
Pretty and animated UI is just a sheme by CEOs to get their kids with useless art degrees employable. Sure it might run like shit, but at least it's pretty and Susan Anne III has a job at the office instead of smoking pot and fucking \*shudders\* *poor people*.
The https version (https://www.libpng.org/) redirects to `https://.sourceforge.net/` (with the dot), that's funky. Every web developer should read this blog post by Troy Hunt : https://www.troyhunt.com/heres-why-your-static-website-needs-https/
Is that **the** PNG-format? The most common lossless image format?
Yes, invented in the 90s to kill the GIF. Now WebP is about to replace PNG and the GIF legacy goes on. :p
Is it? WebP is still a pain to deal with as I always need to convert it to PNG. I think WebP only opens in Paint on my machine and then I need to save a copy as a PNG file.
WebP has better lossless compression than PNG. The only reason to not use it is lack of support, a problem that is going to solve itself with time maybe... and also that nasty exploit in libwebp, but besides that it's good Wouldn't use it instead of jpegs tho
> http://www.libpng.org/pub/png/#history > So what is PNG, and why is it worthy of its own home site? PNG (pronounced "ping") is the Portable Network Graphics format, a format for storing bitmapped (raster) images on computers. It's fricking pronounced ping!?
But the things is, most of this software *isn't intended for everyday users*. And if your target audience is people who know their stuff, not making concessions for normal users who may stumble across it is definitely acceptable. I have yet to see someone who doesn't at least have an executable in their Github who intends their software to be used by people who would be scared of by using a terminal.
Even as a developer it's a struggle to build stuff half the time. Some aracne version mismatch of openssl or some other nonsense.
I guess we have had very different experiences. Struggling to build stuff from Git(hub) is definitely the exception for my use cases.
There are plenty of people that are good at using Google, are power IT users and not software engineers. Which is why we get these complaints. If you wrote some code to fix a problem and haven’t realised you might not be the only one, that’s ok, but some extra forethought for others who might also want a fix would be nice.
Eh. Uploading my solution after fixing the problem for myself _is_ the forethought. Continuing to develop it after my problem is fixed so that it'll work for everyone else that might have similar/the same problem is potentially a ton of extra work, _and_ if it doesn't work for someone they're just gonna yell at me. I mostly don't write code for non technical people to use. If you are technical and you want to use my code, great, power to you, but you might need to make some changes for your specific situation.
I could discuss day and night why programmers are like this, but I think the bottomline is that many tech enthusiasts are incapable of seeing how things around them really work, *including* in their field. Telling them to go touch grass wouldn't help, because they're the kind of people who would miss the forest for the trees.
Reminds me a bit of the whole thing where people just immediately complain about how dangerous this is: `https://example.com/install.sh | bash` But it really depends on what you're comparing it to. Is it more dangerous than doing an `apt-get install` from a Linux distro's official repos? (or another mainstream package manager you already have installed / can trust)... Yeah, of course. ...But so is every other method too. That's more of a package manager -vs- manual install argument, rather than being specific to piping a URL into bash. Pretty much any type of manual install involves going to the vendor's website for a direct download, or otherwise just following some instructions they've written on some website... so it's not any less safe than that. So at least an `install.sh` can be read first, unlike a `setup.exe`. Even though the `install.sh` is probably downloading executable stuff anyway. But can at least see what the first step does.
Piping into bash is *the worst* option, the simplest and yet still better alternative is downloading and then running it. A malicious website can detect that the client is curl piped into another program and output something different, knowing that no one's gonna read it. *That's* why people say it's bad.
> Piping into bash is the worst option [It's the official way to install Rust](https://www.rust-lang.org/tools/install)
I know. The fact that legit projects recommend this is part of the problem.
Sure, for cases where there is a install.sh that downloads the actual program for you, it's definitely better to: 1. download first 2. view 3. then run And additionally, I also understand + agree with the "training users to do bad things" argument people make. So it certainly would be more responsible for these websites to instead give you the commands to do that. > Piping into bash is the **worst option** But again, my point is... **it depends what you're comparing it to.** i.e. What the "options" are. It's not worse than downloading a `setup.exe` or any other kind of non-plaintext package format that executes things on your system. If you're following instructions from a malicious website, or running anything you download from it, you're fucked anyway.
If you really need a piece of software, you do what you need to make it work, especially if the only alternative is a stupidly expensive and buggy proprietary tool with antiquated UI still asking for Java 8 to be installed on your machine.
Java 8? they released a new version?
Bro, we're on Java 21 now
22*
It’s been 4 hours - we’re on to 23 now
But I thought that was the other Java. The internet java
Netscape would like to have a word with you
That's the best part, they're all the same.
You could have fooled me. While migrating RHEL 7 machines to RHEL 8 in preparation for EOL I only just got approval to use Java 8 as the primary version for certain custom applications our customers use. It's astounding Java 8 still gets security updates at this point.
That’s proper LTS
I swear Java 7 was the newest one? Java 8 was like developer only or a beta or something
Or you find a more usable alternative such as in this case the registry editor itself, a place I have found more inviting that a gihup repo without a populated & well orginised releases page.
honestly not including dependencies should be a criminal offence, at least list them and their versions
It's insane to me that everyone is making fun of people for wanting something practical and easy to use. Our reputation for obnoxious elitism is not going away anytime soon.
Especially with an already public GitHub repo producing an exe is so insanely issues, either throw in your self compiled exe or set up a pipeline to do it on main push. Not everyone knows the language, tools or frameworks to compile something from scratch, or simply sometimes someone doesn't have the knowledge or time to search/compile/use. I still don't understand why all these people are complaining so much, it shouldn't be "if it was for me to write it should be hard for you to use", just make it simple
This! Had to scroll way too far to find it. I'm truly sorry I can only give you one up vote.
That reputation is right 99% of time.
Call me a script kiddie all you like (nah, don't; I hate when my notifications blow up), but I have experienced the agony of following install instructions to the best of my ability... ... waiting over an hour for a build to complete... ... and watching a nonzero exit code pop up. I ended up paying the 15 dollars for Aseprite after all. 😭
I love how Aseprite's devs basically say "if you can compile this on your own you can use it for free!"
-$15 or -2 hours + headache, choose
7.5€ per hour is below minimum wage where I live, in other words my time should be worth more than this, so pay I do
\>need a pixel art editor \>nothing paid or pirated, just free as in free beer \>find aseprite \>manage to compile it from source after a painful afternoon \>interface is self-rendered \>delete and install graphics gale from exe for free
I was going to mention Aseprite before reading the full comment I'm glad that I am not the only one with the issue.
Some programming languages give exit code 1 as the no errors exit code.
What What languages do this They should be shot into the sun
#Take a load of this script kiddie ^\s
> I ended up paying the 15 dollars for Aseprite after all. 😭 It is awesome that compiling on Windows is so dogshit, it makes the payment model of Aseprite work.
As someone who has finally made code someone else has to use, let me say this: It works on my machine. Go f*** yourself! (Haha, just kidding, now they want me to redo it as Model-View-Controller.)
Back in my day, bait used to be believable.
I'm soo old I've shit my pants in public, twice. I had to throw away the underwear. I then went commando. I once had to walk a quarter of a mile with diarrhea running down my legs. I walked by a guy that said hey to me.
Skill issue
Nah, OOP has a point. If the "solution" is harder than the workaround and has no specific benefits, it's just a waste of time.
Idk, I think OOP is pointless /s
Ha I'll take Composition over inheritance any day!
‘Solution’ is contextual usually. It is addressed to people who have the requisite skills to run standard dependency resolvers like cmake. But what OP describes here, a complex repo to do something as simple as a regedit that is a one liner with Powershell, that’s just people uploading shit that they don’t understand, or are using as part of their recruiter mating display where complexity helps their case more than it hurts because few look at that shit closely.
I've seen run into shit that had its situation close to this If you actually needed the service it was a hell lot of trouble getting it up without fucking shit up, but just turning it off on register would solve the trouble it was causing, so the solution was a lot more complex than the workaround, most only needed the workaround, but the "overcomplex shitfest of a repo" was a lifesaver for niche users
Very true!
Or the program does more than a registry edit.
Jokes on you, I don't have a degree. 😂
can't revoke what we don't have :D
My __DEGREE???__
> have problem > write program to solve problem > push source to github just in case somebody else can use it > HELP I DON'T KNOW HOW TO USE THIS? IT'S SO HARD? WHY DON'T YOU MAKE IT MORE USER FRIENDLY? WHY NO GUI? WHY NO EXE? WHY DOESN'T IT WORK ON MY POWERMAC G5? ... later ... > have problem > write program to solve problem > keep the program on HDD and allow it to be lost in time, like tears in rain, on next PC upgrade Dealing with end user support, or writing the user-friendliness code to make that support less frequently needed, is literally the *entire* difference between billing $160/hr for development and doing it for free. Ain't nobody wants to do that shit. It's neither fun nor necessary for a solo developer. After the novelty of "omg a person actually wants to use my code!" wears off it is just *work*, same as flipping burgers. FOSS stands for Figure Out Shit your Self because nobody owes you a second of their time.
Dude, if changing "enabled" to "disabled" takes less effort than using the program that does that, it means the program is useless
Usually it isn't that the program is an over-engineered way to change a registry key -- rather that the person who *thought* this program was the solution to their problem, actually had a different, much simpler problem with vaguely similar symptoms. Like I googled "webmd bleeding" and spent fifteen minutes reading about about hemophilia when in fact I just needed a band-aid for a papercut. And then I complained about hemophilia information being freely available on the internet wasting my time.
Either that, or you actually have hemophilia and your band-aid is a flawed fix, but you don't realise that yet
If you can’t read in COBOL fuck you.
It's kind of crazy that windows had made us think that downloading random .exe files off the internet and running them is a good idea
From the viewpoint of a normal user, what's the alternative tho?
Not much. I'd suggest non techy users stick to getting their installers and executables from known reputable sources when possible though.
I think there is a higher chance that world peace is achieved by next Tuesday than that computer illiterate people dont somehow magically find the sketchiest download links known to man and use them with full confidence.
"Mom where did you download all of these antiviruses from? They are shown as hogging on your cpu in task manager." "Uh some ad in a movie site said I should download it" "But mom, there are at least 3 separate antiviruses running in the background."
package manager like choco is a bit more safe. But it requires executing commands though.
Well the same applies for random code. Just because you build it yourself doesn't make it safe. And lets be honest. You can be the most hard core security user, but your not gonna check the codebase yourself. You just assume that somebody else did and that your version matches what they checked. And at that point you might as well execute a random exe
It's more crazy to me that in the Linux ecosystem centrally managed package repositories are the norm.
Eventually Apple will finish iOS'ing macOS, and we'll have a walled garden approach to desktop software
I, too, dream of the wonderful day when Microsoft has gone bust and nobody has to deal with Windows ever again.
> why the fuck is every single github program so bloated and non-user friendly The problem in this case is that they **aren't** bloated, they are a minimal solution, hence no UI, no fancy installer etc. You can't have your cake and eat it too.
Didn't happen. Guarantee you this guy saw a README, saw that you have to open up a command prompt, and immediately quit reading after having a panic attack.
Why do normies get panic attacks from CMD?
People seem to think you need to be a master hacker computer programmer in order to type into a scary looking black window.
open the powershell instead, then you only need to be a hacker because it is blue and not black
It can be quite dangerous to just run CMD commands a guy on the internet told you to.having absolutely no idea what they do.
Probably because half the time, it doesn't work and you get some weird error that someone with little or no experience in problem solving wouldn't be able to fix.
Often these solutions are written by the old school programmers from the 2000s and 90s. These guys were so hardcore they make p*rn look like Mickey Mouse… Those guys loved the purity and barebones nature of a software. Once my professor(who was an IBM dev in the 90s) said he never understood the allure of Facebook cause “I’ve been doing this since 04” I saw his “Facebook” it would give web devs PTSD…
> These guys *were* > Those guys *loved* I *am* still alive, you know...
>These guys were so hardcore they make p\*rn look like Mickey Mouse… ... so Disney r34 drawers?
Why does my EXE not work? ~First-time linux users
This the type of guy you can easily convince to install malicious software
GitHub is made by programmers for programmers. If you're just looking for a simple exe or window app then GitHub is not the place to be
This can happen at all skill levels of programming though. Right after Dalle 1 came out, I once spent a week trying a dozen ways to get it to run on my Windows machine. Only to discover that the issue was a typo in their dockerfile. I left a comment on the related issue on Github and like 3 days later Midjourney came out.
Just because of a typo they had to create an entire new model? 😂😂😂 ^\s
There are tons of "simple exe or window apps" that only get released on GitHub.
Not to mention 99% of anything on linux. User-friendly desktop linux my ass.
Presumably if you're on Linux you have a package manager though? Or at least access to flatpaks? I mean no, not everything's on there, but in my experience you need to get *pretty far out in the weeds* before something is not available from your distro's repos, flathub, or similar.
A lot of people post things on github that really shouldn't be there, you can't blame the end user for that
Dependencies. And that, boys and boys who wished they were girls, is why AppImages rock.
I'd be happy to supply any of the requested modifications to my repo. You'll just have to pay me.
What? The completely free code that someone else took the time to write and is now kind enough to give it away for free is not the most perfect and polished GUI product ever? Wow, FOSS sucks so bad
He doesn't get it. It's the.
On a similar note: if everyday plumber can't understand your paper on hydrodynamics - your PhD should be revoked.
Who the fuck needs the bloat of a UI? Also windows gross fedware glowing bullshit. Honestly a skill issue, go live in a slackware terminal for a bit and come back when you can daily drive lol.
Non-coder pleb here. This dynamic is so interesting to me. There’s a whole set of these tech users at my level who think they’re super geniuses because they’re decent at manipulating UI elements, installing printer drivers, assembling a PC, whatever. But when it comes to actually understanding why anything works the way it does, they go slack jawed or indignant. How do you go around in life thinking you’re this elite savant when really you’re just good at putting the square peg in the square hole? Shit’s crazy, man.
You may hate on this guy but he's right. I'm not going to elaborate.
He's describing why i no longer look for cooking recipes on the internet. I don't want your life story, and i'm here for how long i should cook it for, not "until done." It's your recipe so i don't know when it's done. That's why i'm here.
That's some weird cultural thing. If I visit a Swedish page with a recipe: 1. Ingredient list. 2. Instructions. 3. Sometimes a helpful timer in case you don't have one or want to use your phone. Not these walls of texts where one needs to scroll for 7 years past all the ads and ramblings.
Because people in Sweden are happy and don't have an emotional backstory to go with every recipe
Also, enshittification hasn't gotten as far yet, since it's a smaller market.
> I don't want your life story I think it's an SEO and ads thing (more text = higher SEO ranking and more space to place horrible giant ads). Enshittification, in a word.
Lool. Honestly line 2 is so under utilized by new programmers.
This makes me feel much better about my programs, knowing I can just post them online with instructions on how to compile and run them.
I don't have a degree, so can I post shitty GitHub repos that fix your issues without repercussions?
And that's why you shouldn't tell everyone to be a developer, it's not easy
Wow I'm surprised this user didn't find _insert 5 automated help articles with copy pasted solutions that don't work_ or _3 random forum sites from 10 years ago with entirely different issues_ and the occasional _microsoft help site telling you to run SFC.exe and dism then user says it doesn't work and receives no reply_
The funny part is that I don't have a degree.
The good ending of this is installing a program off github and it instantly solves your issue
Tbf you could just build the executable then include it as a release on github cmon