• 7heo@lemmy.ml
    link
    fedilink
    arrow-up
    56
    arrow-down
    1
    ·
    9 months ago

    This doesn’t pass the smell test.

    • Instructs to pipe the output of curl in sh
    • Assumes that sh is bash [1]
    • “Community” behind it is apparently originating in Berlin, and is now a “nonprofit foundation in Switzerland”, but has no publicly disclosed legal structure anymore.
    • “Community” behind it uses discord, but not revolt, matrix, simplex or others.
    • “Community” behind it uses twitter, but not mastodon.
    • Cryptobros.

    1. sh <(curl -sSf https://url.redacted/script) ↩︎

    • CrinterScaked@sh.itjust.works
      link
      fedilink
      arrow-up
      14
      arrow-down
      9
      ·
      9 months ago

      Installing by piping from curl is pretty common and not a red flag in and of itself. Even Rust is installed this way. If you don’t trust the URL, you also shouldn’t trust any binary installers downloaded from that website.

      • corsicanguppy@lemmy.ca
        link
        fedilink
        arrow-up
        15
        arrow-down
        3
        ·
        9 months ago

        Installing by piping from curl is

        Toxic. Speaking as someone who was security chief at an OS, what you meant to say was ‘toxic’.

        Given its insidious nature, though, ‘venomous’ may be a good alternate.

            • asudox@lemmy.world
              link
              fedilink
              arrow-up
              3
              ·
              9 months ago

              Crates is insecure

              And? You are literally installing someone else’s code. The compiler isn’t an AV. This is true for all langs.

              piping curl to bash for installing rust Dev tools

              How is it any different than installing binaries from the site and just pulling the binary via curl? The bash script is also visible to anyone, feel free to check it for anything that might be malicious.

              • delirious_owl@discuss.online
                link
                fedilink
                arrow-up
                1
                ·
                9 months ago

                Trust is a thing. We should trust the person writing our dependencies and be able to verify that it was published by them, and not somebody in the middle maliciously altering the code.

                You should not be installing unsigned binaries from a website. Either use a package manager that checks for signatures or manually check the signatures yourself. If the project doesn’t sign their releases, open a bug report.

        • pcouy@lemmy.pierre-couy.fr
          link
          fedilink
          arrow-up
          2
          ·
          9 months ago

          Can you elaborate?

          I was under the impression that there was some kind of consensus around rust being one of the safest languages to use. However, I’ve seen comments about rust being bad pop up in a few threads lately but they never explain why they think so.

          • delirious_owl@discuss.online
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            9 months ago

            You’re talking about using the language and preventing errors. That’s less about security and more about preventing errors.

            I’m talking about the supply chain, watering hole attacks, etc. Crates does not cryptographically verify the authenticity or anything that it downloads.

            The only language that I’m aware of that has a dependency manager that has cryptographic auth of everything it downloads is Java’s Maven. Everything else is vulnerable, rust included.

  • infeeeee@lemm.ee
    link
    fedilink
    arrow-up
    38
    arrow-down
    3
    ·
    edit-2
    9 months ago

    The most important questions about any p2p service:

    • why would anyone store my data?
    • why would I store someone else’s data?
    • how can i be sure that someone else’s data is not CSAM: i found the answer you can select what repos to sync

    It seems to me it’s IPFS again, but now for git repos. And it has the same problems as IPFS

    • shrugal@lemm.ee
      link
      fedilink
      arrow-up
      23
      arrow-down
      1
      ·
      edit-2
      9 months ago

      I believe the thinking should be the other way around.

      No one wants to store your code, and you shouldn’t store anybody’s code either. But suppose you have a group of people who want to collaborate on (or just mirror) a codebase, so they already decided to store it on their machines. This project gives them a decentralized tool to coordinate their efforts, and their code/issues/patches will be stored and accessible as long as they are interested in it.

      Like, the tool doesn’t give you a reason to use it, but if you have a reason then here is a tool to help you.

    • Clot@lemm.ee
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      9 months ago

      Same question. P2p was initially used to pirate stuff e.g. movies which isn’t a private property and streaming that through p2p made a lot of sense. But for codes I don’t know if its appropriate or not…

    • ryannathans@aussie.zone
      link
      fedilink
      arrow-up
      4
      arrow-down
      2
      ·
      edit-2
      9 months ago

      Why is CSAM the only traffic you object to? When you run torrent clients and such how do you filter out CSAM peers from the DHT?

      • infeeeee@lemm.ee
        link
        fedilink
        arrow-up
        8
        arrow-down
        2
        ·
        9 months ago

        There were other similar initiatives where everything is encrypted, so you cannot be sure what others store on your node. For torrent you can select what torrent you download and share.

        I was thinking about Storj, where you get “money” for hosting other people’s content in a similar p2p fashion. For Storj the answer to the first 2 questions are money, but you can’t answer the third, because encryption. (“Money” is not real money but some strange crypto, but that’s not important now.)

        CSAM is just the worst possible example, it’s forbidden in most countries of the world, and no sane people should be ok storing it. The main thing is, if you host other people’s content, can you know what is the content, do you have some word if you want to host it or not.

          • infeeeee@lemm.ee
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            9 months ago

            DHT returns an ip based on a hash, what do you mean.

            If you solely rely on DHT for searching for new things to download, than yes, that’s a good way to get unwanted material on your hard disk, I don’t recommend to do that to anybody at the curtent state of the technology. Don’t mix up things deliberately, usually people don’t do that, they get a torrent file or magnet link from a trusted source, than DHT can’t mess it up.

            • ryannathans@aussie.zone
              link
              fedilink
              arrow-up
              3
              ·
              edit-2
              9 months ago

              Participating in the DHT allows others to find torrents and peers, without filtering, beause your machine is sharing information from your DHT peers.

              Interesting where you try to draw the line

              • infeeeee@lemm.ee
                link
                fedilink
                arrow-up
                2
                ·
                9 months ago

                As I understand DHT is just addresses and hashes, not the actual data.

                I draw the line this way: If I disconnect the computer from the network any given time, does it store the questionable data.

                • ryannathans@aussie.zone
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  edit-2
                  9 months ago

                  Would running an onion relay that helps people access illegal material be fine? Nothing gets stored on your machine

    • Clot@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      9 months ago

      Here’s another response I got from someone from radicle regarding this.

      That’s a great Q.

      Radicle can support a federated model, where known major seeds are connected with multiple smaller clusters. >Radicle supports also completely self-sustaining and disconnected clusters of nodes networked between themselves >within that cluster. And of course any other network topography in between.

      There’s a promising active proposal to establish a dedicated new Radworks Organization tasked with solving the >incentivization and reward problem for seeds. https://community.radworks.org/t/discussion-rgp-22-start-the

      Additionally, similar to how one can “star” a repo on GitHub, one can “seed” a repo on Radicle. “Starring” a repo is >often a toast of support, akin to an emoji reaction, with little more effect other than that, but in Radicle “seeding” a >project, goes beyond incrementing a vanity metric: it actively supports propagating that project across the Radicle >network. The count of seedings per repo can also be used as a differentiator between original and “copy-cat” ones.

    • Auzy@beehaw.org
      link
      fedilink
      arrow-up
      1
      arrow-down
      2
      ·
      9 months ago

      More importantly, why would you want to host code on a few likely-totally-unreliable computers, when you can host on a few servers which are bulletproof with redundancy?

      Github has a SLA of 99.9% uptime reliability lol

  • Tobias Hunger@programming.dev
    link
    fedilink
    arrow-up
    15
    arrow-down
    3
    ·
    9 months ago

    Serious question: What is the point?

    Just push into half a dozen mirrors and you are pretty censorship resident without the crypto voodoo put on top of git.

    Github has one huge value: Discoverability of a project. This is even worse than hiding your project in one of the smaller forges… nobody can remember the mess of letters you need for this.

    • onlinepersona@programming.dev
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      9 months ago

      Do you think it’s good that the majority of code is hosted on a proprietary service? Do you think it’s good that that service is centralised? Do you think it’s good that if you want to provide an alternative to that service, you create another island with a different ecosystem that cannot communicate with the other island?

      CC BY-NC-SA 4.0

      • Tobias Hunger@programming.dev
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        9 months ago

        No, I would prefer a world where not everything is concentrated on github, but that is the world we have to work with:-)

        But how does this address any of the problems you brought up?

        Do you think a project will be more discoverable when you say: “Clone foo/bar from github” or when you say “install this strange crypto-BS, then clone rad:xyhdhsjsjshhhfuejthhh just like you normally would”?

        Apart from discoverability you get a known workflow for contributors, a CI and a bug tracker. Coincidently those make it hard for projects to switch away from github… how does this address any of that? “Use this workflow, which is even wierder than any of the other github alternatives!” and “just set up a server yourself”?

        Sorry, this is just yet another crypto-bro solution in search of a problem. Technically interesting, I’m give you that, but useless.

        • onlinepersona@programming.dev
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          9 months ago

          No, I would prefer a world where not everything is concentrated on github, but that is the world we have to work with:-)

          Then how do you not see the point of a distributed sourceforge?

          But how does this address any of the problems you brought up?

          Have you read the webpage? radicle is opensource, it’s distributed and thus many interconnected islands, just like the fediverse. Why are you on the fediverse and not on reddit?

          Do you think a project will be more discoverable when you say: “Clone foo/bar from github” or when you say “install this strange crypto-BS, then clone rad:xyhdhsjsjshhhfuejthhh just like you normally would”?

          Again, have you even opened the webpage?

          Sorry, this is just yet another crypto-bro solution in search of a problem.

          So github is not a problem? And regarding crypto, show me where in the code it forces you to use crypto. Show me the rad command that inhibits you from doing a normal git operation by bringing up crypto.

          CC BY-NC-SA 4.0

          • Tobias Hunger@programming.dev
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            9 months ago

            Then how do you not see the point of a distributed sourceforge?

            But this is no forge, it is just a git repo.

            Again, have you even opened the webpage?

            Yeap, I even put a repo into it. That’s why I am so certain that it is useless.

            Hosting a git repo is not a problem. Having an discoverable forge is. And this does not help with that in any way.

            So github is not a problem?

            Something can not be a solution independent of whether or not something else is another problem or not.

            And regarding crypto, show me where in the code it forces you to use crypto. Show me the rad command that inhibits you from doing a normal git operation by bringing up crypto.

            There is lots of needless crypto(graphy) going on all over the place. It is entirely useless for code hosting in a git repo.

      • Auzy@beehaw.org
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        9 months ago

        Git is a DISTRIBUTED version control repo. You can fork to different services from Github. https://www.atlassian.com/git/tutorials/git-forks-and-upstreams

        And Github has a REALLY extensive API to interact with from other servers too (even issues and such).

        Peer to Peer stuff sounds awesome, except it’s only as reliable as the nodes. And, Github is hosted on many servers, with a huge amount of redundancy. It’s basically a privatised P2P system where each server is reliable, instead of a bunch of unreliable public hosts which might not have backing from a large corporation.

        And whilst we’re talking about reliability, even centralised stuff like Sourceforge is hosting code from 20 years ago. Whereas, it is difficult to load a torrent from 2 years ago lol

        • onlinepersona@programming.dev
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          9 months ago

          OK, track your issues in git with access from others on a web interface. Let somebody make a merge request to your project on github from gitlab, gitea, or straight up from your local git repo without a github account.

          CC BY-NC-SA 4.0

      • _sora@mast.lat
        link
        fedilink
        arrow-up
        1
        arrow-down
        2
        ·
        9 months ago

        @onlinepersona @hunger have you tried hosting your own git repo? I never thought I’d live to see git, of all things, being considered “proprietary service”. Also Hunger suggested using more than one server, which means it’s not completely centralized.
        There’s really no meed for p2p crypto magic here, git just works

        • Captain Aggravated@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          8
          ·
          9 months ago

          git is open source. Github as in the repository hosting service is owned by Microsoft, a company for whom the phrase “for profit” isn’t severe enough a description.

          • ErilElidor@feddit.de
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            9 months ago

            But it couldn’t be easier to just set up a second remote, that isn’t GitHub with just vanilla Git, if you don’t trust Microsoft (Or even fully switching to a different remote). Why is there a need for something else in addition?

        • onlinepersona@programming.dev
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          9 months ago

          I’m not sure if you’re making a bad faith argument or genuinely didn’t understand I was referencing github.

          Also, where is the crypto magic? The website doesn’t mention crypto at all…

          CC BY-NC-SA 4.0

    • spiritedpause@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      10
      ·
      9 months ago

      Off the top of my head: with Forgejo, you alone have the burden of hosting your repo, which means if your repo becomes popular, you have to deal with the costs of all that traffic to it.

      The nice thing about the P2P/seeding aspect of Radicle is that anyone can clone your public repo and help seed it to others.

      I see that Forgejo is working on federation which should help distribute the load of hosting a repo, but that doesn’t look to be completed yet

  • toastal@lemmy.ml
    link
    fedilink
    arrow-up
    7
    arrow-down
    2
    ·
    9 months ago

    I dislike that JavaScript is required… not just for best experience or functionality, but literally to get a non-blank page. Not even a <noscript> is left.

    One of the failures I think of all of these forges is they keep trying to tackle getting users by posing moral arguments instead of technical ones too. I hate Microsoft GitHub as much as anyone, but what am I getting from Forgejo or this if instead of fixing the issues with MS GitHub, they are trying to copy everything–including the bad stuff like compatibility with a YAML CI system & the glacial pace of the pull request model where maintainers act entitled rather than just merging shit then fixing their nits. Like, pitch me a CI system that isn’t shit or review that isn’t dogwater like the pull request model & now I’m interested in migration for a better experience rather than just a FOSS clone that doesn’t get you anything better other than a clearer conscience.

    • tengkuizdihar@programming.dev
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      rather than just merging shit then fixing their nits do you have something in mind better/more practical? Merging stuff from any contributor without reviews sounds bad.

      • toastal@lemmy.ml
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        9 months ago

        You review the ideas & code at a high level. I feel like you didn’t read the “nit” part. Instead I get review for my flyby patch (no plans to be a mainstay) where the idea is fine, but the maintainer wants me to worry about variable names, spacing, & other BS that doesn’t matter. You get a ton of “please add space here” type comments & the maintainer is putting the onus on you to fix their quirks which leads to a really slow review process full of irrelevant nitpicks. A maintainer should just merge that code & fix the nits themselves rather than expecting everyone to care about their naming conventions. Pull request model in an MS GitHub-like UI encourages this behavior.