Open caspear opened 9 years ago
I feel this is already part of the threat model:
"The user obtains an authentic copy of Pond. The computer correctly executes the program and is not compromised by malware."
I think I am being insufficiently clear.
The page explicitly instructs the end user to copy code from a web page and paste it directly into the terminal.
That is not a safe operation, because there is no WYSIWYG when copying from a web browser. Teaching people that it is an acceptable thing to do encourages development and persistence of harmful practices.
I made you a pull request that hopefully demonstrates what I am trying to say.
On https://pond.imperialviolet.org/ you ask people to copy-paste some shell commands directly into a terminal.
That is a terrible security practice, because of https://thejh.net/misc/website-terminal-copy-paste
Please change your wording to ask them to paste the commands elsewhere first, so that it doesn't look like you are trying to attack them.