Make Scripts Optionally "Offline" #15
                  
                    
                      newzealandpaul
                    
                  
                
                  started this conversation in
                Ideas
              
            Replies: 2 comments 4 replies
-
| 1, you already got an answer there | 
Beta Was this translation helpful? Give feedback.
                  
                    0 replies
                  
                
            -
| @Mellowlynx I agree this does look like a duplicate, although I was unclear on your answer. Making the scripts run this way would be a few extra characters and a simple awk replace over the repo:  | 
Beta Was this translation helpful? Give feedback.
                  
                    4 replies
                  
                
            
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment
  
        
    
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I posted this in discussion over at tteck's original repo discussion. tteck never responded which is quite understandable.
This project is going to be a target for malicious actors, if not now, at least in the future. It would be nice easier to be malicious with these scripts that with XZ, and we all know how that turned out when the original maintainer was unable to continue.
I think a first step would be to make scripts be able to run offline. Here is what I posted last month:
The last time I checked, scripts pull code automatically from the github repo. So even if you checkout the entire repo, you will still be pulling scripts from the github repo. The cron updater, for example, pulls new code every time it runs.
Having the scripts be able to run "offline" (by that I mean not executing bash scripts pulled dynamically from the internet) would be a useful feature. This way updated scripts can be easily audited.
I am not suggesting @tteck, who does such a incredible job, would inject anything malicious. But given how widely these scripts are deployed this repo is likely a target by malicious actors.
...
Checkout the https://github.com/tteck/Proxmox repository
Run a selected script from the checked out repository using bash eg. raw/main/ct/mongodb.sh
When raw/main/ct/mongodb.sh is run, it runs locally and does not pull in any scripts from https://raw.githubusercontent.com/tteck/
If I want to update the scripts to the latest version, I run git pull origin
Right now in step 3. https://raw.githubusercontent.com/tteck/Proxmox/main/misc/build.func is pulled using curl even if the script is running from a checked out repository (Step 1.)
Beta Was this translation helpful? Give feedback.
All reactions