Hacker Read top | best | new | newcomments | leaders | about | bookmarklet login

I am, and I actively recommend it to anyone sufficiently well educated that they could (and would) go through the contents of the script manually and verify its contents. I don't do anything additional that could be automated in a general fashion, but my own scripts (partly based on Tron) include custom things specific to my setup - adjusting router/firewall settings, interacting with my automated backups, etc.


sort by: page size:

Yeah, I can pull the script down and have something that I know works.

It’s not a security thing, I don’t trust the business people to avoid changing things in a breaking way.


Yes, just "script kiddies" with automated tools.

We're totally OK with you using the script. :) Most people, especially those just looking for a way to be secure without knowing anything about the command line, was whom this tool was built for. Glad you liked it!

Sure - I'll be happy to show you the scores of scripts I have written to do every tasks like switch pipewire audio sinks, wrapper to youtube-dl, generate/copy rsa token, convert/combine images to pdf etc that were written in the sliver of time afforded to me after I'm done family and kids. Those scripts in no way represent the code I get paid to write in my job but if you find that to be an an issue, then you have found the flaw in your method.

Do you also verify each line of the software that the script is installing?

Scripts require manual review. It's not automated

eh it's fine. sure, technically speaking you're giving your machine over to whoever wrote that script. they could do anything! but actually, the script is usually useful and safe. Like this one.

I am not connect to Tronscript in anyway.

It is simply a great automatic tool that really clean up a lot of problem.


I wouldn’t let script take over steps 234678.

Firewall rule management is where automation can shine.


When you say "a script" what do you mean? A script that configures a server incorrectly to let you see the kind of things you can do?

Yes I do. For example, I have a little script to install Drupal modules, which is nothing more than downloading the tarball from the Drupal website, and untarring it in the proper directory.

Likewise, I've got scripts to extract strings to translate (with gettext()) using xgettext from various project directories, and merging it with older, already existing translations; and for installing edited translations afterwards (with msgfmt).

I also have a script to upload files that were changed locally to a remote server.

No, it didn't take me 2 weeks to code them.

Most of the time I just do the task once, and store the commands in a file. Next I edit that file replacing values with script arguments. Tada! Instant script. For lists of values that depend on the project, I create presets (one argument determines what set of values to use).


No problem. I feel it's good to automate stupid little things like this, and to share those stupid little scripts with the world.

And yes, I'm an automated tester. :)


Get out, that script is huge. I could install small convenience scripts that I can audit, but this monster is 3K+ lines. Too risky.

Not necessarily. If the script is documented and written cleanly (e.g Fabric3 which has very little magic, and reads almost like Bash), then in can server as "runnable documentation". In this case automation could be really good for continuity and busfactor.

But yeah... got to put some effort into it. Like all docs, script-docs worn't write themselves.


I'm curious what's the alternative if the script must have those credentials to do its job.

Well, you're going to run the thing the script downloaded with exactly the same user and privileges as the script you're running. Unless you're doing a full audit on all the code and not only a cursory look on the installation script, this looks to me more like security theatre.

I did do this with no script and just allow websites I trust but it is a massive chore to keep everything working that I've given up

This is a great trick, but no one should ever run someone else's script that does this unless they have verified the script line by line beforehand.

Surely these are the same kinds of people who will carefully review all scripts before running them, right?
next

Legal | privacy