Support for AARCH64

Dridi Boukelmoune dridi at varni.sh
Wed Jun 17 18:17:12 UTC 2020


On Wed, Jun 17, 2020 at 3:05 PM Geoff Simmons <geoff at uplex.de> wrote:
>
> On 6/17/20 16:56, Nils Goroll wrote:
> > On 17/06/2020 10:00, Emilio Fernandes wrote:
> >> 1.1) curl -s
> >> https://packagecloud.io/install/repositories/varnishcache/varnish-weekly/script.deb.sh
> >> | sudo bash
> >
> > The fact that, with my listmaster head on, I have not censored this posting,
> > does not, *by any stretch*, imply any form of endorsement of this practice.
> >
> > My personal 2 cents: DO NOT DO THIS. EVER. AND DO NOT POST THIS AS ADVISE TO OTHERS.
> >
> > Thank you
>
> +1
> To point fingers at the right people, this is what the packagecloud docs
> tell you do.
>
> But ... the *packagecloud docs* tell you to do that!
>
> If I could have them arrested for it, I'd think about it.
>
> Piping the response from a web site into a root shell is stark, raving
> madness.

Dudes, chill out and live with your time.

It's not like attackers taking control of packagecloud could send a
different payload depending on whether you curl to disk to audit the
script or yolo curl to pipe.

https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

We've known for years that it isn't possible.

Dridi


More information about the varnish-dev mailing list