Does anyone even look at a thumbnail? ;-)

Found it only after this comment 😂

@@zeveroarerules apparently they only do when I don't make a joke

I did see it! Is my display larger than average or why wouldn't we see it?

Sus

Same 😭

Sir, I beg to differ. I haven't touched mine in about a year when I was still learning and it's bad.

May I see them? Where are they?

and that's the reason why all my repos are private, lol

my code is public, but no one ever looks at it

Oh good grief yes.

Wasn't it also doing two different fetches with curl? If curl isn't doing any caching in between couldn't you just give the proper payload that matches the hash in the first request and then switch it out for something malicious when it is fetched again? Yes, that is very unlikely and would mean you would be serving the real thing to people using the auto updating script shown first, but still a possible exploit vector.

​​@@HroiG It only double fetches if you use the verified install mode. You need to explicitly click to show that version of the snippet. And as any dev can tell you: if it's not the default then, for a decent majority of users, it might as well not exist

I fear my local shady free wifi

Wait… Couldn’t an ISP Standard DNS redirect it to a message about ZI being sketchy?

Pretty much "common cold" in plague inc that evolves symptoms to diarrhea/projectile vomit as soon as Greenland is infected

It would also be an excellent to control the amount of affected computers, if you're serving it from a endpoint that switches to a malicious package but only for 1 out of every 100 requests for example, or ensure it only affects requests that come from specific IP blocks.

It's even worse than that. It's trivial to detect the IP of specific machines and serve unique payloads to specific targets.

exactly

exactly what I'm thinking

Stop it, don’t give red hat ideas

"Shell as a Service". Think of all the income streams! The genuine subscribers, the "I want my computer back" subscribers, the "I want that guy's computer" subscribers, the "I want that guy's computer to stop working" subscribers...

That bad English on that site is incredibly reminiscent of bad English translations from Chinese product manuals.

That was exactly what happened in the xz debacle, except in reverse. (The payload came first in obfuscated form, then came the triggers)

It's basically just a shell for people who like the letter Z, in the first place..

Yeah. If you want to emphasise speed, why choose an animation which everyone associates with an annoying wait?

It's fine if you check what cURL is getting.

​​@@idogaming3532 yeah but you need to absolutely trust the source too especially since it's calls home every time you open up a shell

i have an installer for my dotfiles with curl | sh, you can just copy the files manually, or you can use the installer

@@idogaming3532 not true. curl | sh is always potentially bad because even if it's https and the script itself is good, there's always the risk of it not downloading fully and a broken script being executed. Imagine if there's a line that goes like `rm -rf ~/.local/share/program/abc` or something, and you have connection issues at the "~/" part. It's also possible for the website to serve a different script depending on whether you access the website via a web browser or with curl. Also possible for the website to randomly serve malicious scripts only a portion of the time to try and appear legit.

mr emojipick dev?😄i remember ur github username by heart cuz i clone ur repo on every new machine for the emoji picker 🤣

@@distant6606 🙃yes its me, guess I cant hide by using same picture and name. xDD (actually not trying to hide at all). Glad you like it and use it that often. 🥰Replies like yours always warms my ❤. There are actually 2 different such tools in the repos. But guess they need some love again to make them work on Wayland properly... 🤔

@@distant6606 (man KZfaq keeps deleting random comments) 🙃yes its me, nice to meet you. Glad you like it and use it that often. 🥰Replies like yours always warms my ❤. There are actually 2 different such tools in the repos. But guess they need some love again to make them work on Wayland properly... 🤔

@@distant6606 😤Oh man, youtube is a let down again, deleting my comments for no reason. Well in short I want to thank you for the nice words. I'm so glad it is useful to anyone else. There are actually 2 different emoji picker tools.^^

@@thingsiplay and thank you for making them :) i only thought it was one, ill make sure to check the other one out as well.

Yep, the fanciest I get is adding my own aliases.

I do like modyfing bash configs because there are some useful things you might want to enable. It's actually crazy how people don't know how much you can do with bash already

i see you on every comment section i swear

​@@rangeramg Yes same lmao

when @skelebro9999 is SUS ඞඞඞ

​@@ElMarcoh😱😱😱

When you're stupid.

Not everyone knows the name Dharma or Greg.

Wdym? That's a super common word. Linux ecosystem does have its fair share of names from Sanskrit - Adwaita, Garuda, Kali, Bodhi, etc. So it's just ignorance.

@@curious_banda You think Brodie's not doing it on purpose then?

I wish more people were aware that such plugin managers are looked at by such small people that malware would probably never get caught

They could also be playing the long game and have it download the legit stuff for years to build trust, before putting something malicious in it.

is this a reference to something specific or is it more like just hinting at the fact that no software is 100% free from malice

​@@callyralTempleOS would like a word

​@@callyralMy `helloworld` program has 0 malware. It don't spy or have internet capabilities. I'm a honest dev.

I like fish so far, any issues with it I should know ofV

@@kodeytheneko Nope, just joking about the fact that nothing is infallible, so far fish has served me well

welp, extra efforts (burdens) for auditing had to be done, it seems

I see what you're saying but there's a big difference between doing something suboptimal and taking the installation method of a project you forked and then making it worse

@@BrodieRobertson Yeah, fully agree.

Doesnt explain why their site pretends to be zsh, or why they lie about not owing zdharma org.

Relax. Those shell extensions will break when the next Gnome release drops, so you won't be vulnerable for long. /s

Gnome moment

"im gnot a gnelf"

I dont even know plugins past autocomplete and syntax highlight 😅

this isn’t zsh being sketch, it’s something sketch that’s annoyingly takes its name from zsh. zsh is safe to everyone’s knowledge

or fish, the well-done zsh

my plugin manager is copy paste and the plugins I use are autocomplete and syntax highlighting

can't people just use KSH and BASH like sane beings? talk about bloat

Zsh with plugins is an infinitely better experience than stock, but using a plugin manager is comical. And tbh, if you want the zsh + plugins experience just use fish to start with.

@@millsjonah But what exact plugins do to make your experience infinitely better?

@@polinskitom2277 not the worst bloat. Matter of fact, zsh has a much smaller size than bash, although I do use bash instead at the moment.

So I hear

it's also just not a sentence. It's a jumble of words that suggest what you're reading into them, but the syntax is not actually English.

There more like config scripts

I'd consider myself somewhat of a ZSH master. It's basically BASH but better. While I think many of its improvements can be emulated in bash, or in some cases are even built-in, it has better defaults and some things that you simply can't do in bash - at least, not without sacrificing ergonomics, efficiency, and/or other resources. For instance, typing '/u/l/' and then pressing tab in ZSH, where the only root dir starting with a 'u' is /usr, will expand to it, and it will let you choose from /usr/{lib{,32,64},local} on my system, where those are the only 4 directories under /usr/ that start with an l. In bash, this functionality is either not present, or disabled by default. It's quite useful to be able to recursively expand to an directory, instantly if the prefix is unambiguous, or with simple prompting of each choice if it is ambiguous. It makes using other shells feel so much worse, and there's really 0 downsides to it. I think the true killer feature of zsh, at least for me, is its extended globbing - or more specifically, its filename generation. This provides a powerful and extremely efficient way to do a lot of common (and uncommon) things. For example, I can do `cat *(ommM0-)` to cat, in most-recently-modified order, all files in the current directory that were modified within the last month. Sure, I could do something like this with e.g. GNU find, but that's a lot more typing. And sure, I might not want to do that so often, but `*(om[1])` (which expands to the file with the latest mtime) is an incredibly frequent construct, super easy to type and not requiring any subprocesses or whatever, and really easy to change as needed to (e.g. want symlinks specifically? (just add an '@' inside the parentheses). Want the 3rd through 7th least recently modified? change the 'o' to an 'O' (inverts the sort order), and the '1' to '3,7' (or you could skip the sort inversion and use negative numbers, but ehhh)), that would be significantly less ergonomic and efficient to do in other shells. You can do many other things with its extended globbing, such as in the name inserting e.g. '-- :&1 1>&2 2>&3` and then add `SWPOS' to a program's command line to swap its stdout and stderr. Global aliases are niche and dangerous, but can be quite useful. I'm not aware of any other shell implementing them, though I haven't really checked (I'm pretty sure BASH doesn't have any support, at least) Oh and there's a ton of useful stuff you can do in parameter expansion (i.e. ${...}). For a conglemerate example, `${(s : )PATH}` would split $PATH on ':', `${(s : o)PATH}` would further sort it, and --noblacklist="${(Os : )^PATH} would then sort it backwards and abuse array zipping to generate `--noblacklist=/var/lib/flatpak/exports/bin --noblacklist=/usr/local/sbin --noblacklist=/usr/local/bin ...` Prompts are another place where ZSH can natively simply do more than other shells - ZSH enables you to optionally embed completely arbitrary commands into your prompt natively, so you can for example have your prompt automatically change color if the current directory is empty or unwritable, or display how many dirs away from root you are, or change its colors based on your terminal's active color theme, or whatever you wish - the sky's the limit. I personally daily-drive a personalized PROMPT and RPROMPT (a second, optional prompt that starts from the right of the screen, which is also something that ZSH has that BASH does not) with definitions well over 200 chars (though actual cell usage is like 20 out of 250(at typical zoom) and overhead is nigh-imperceptible). Actually, are the other prompts (e.g. the one displayed when in the middle of a heredoc) even customizable in other shells? Doesn't really matter and I'm not gonna looke right now, - though they are so in ZSH, of course I could go on and on, but I think you get the point. ZSH, to me, is like the Emacs of shells

​@@MH_VOIDdamn first ever explanation that goes in depth instead of "more customization", well done

@@ky3ow copy paste to /zsh for the love of god lol

I hope that isn't a compliment.

vs sh enjoyer

vs rc enjoyer

@@user-bv9jy2vm2g i just use korn shell, i ported starship prompt to it, made my own syntax highlighting, and do autocompletion with fzf

I switch back and forth

It's an incredibly dumb thing to do, checking for updates on every shell invocation is never a good idea

@@BrodieRobertson I think it is fair to criticize projects that do this but I think it is unfair to call out smaller projects and not criticize bigger projects like "Kitty" which literally phone-home without users knowing it and whose main maintainer actively undermines this privacy violation every time it is noted.

@@Sun_Seeker I didn't even know about Kitty doing that

@@Sun_Seeker IIRC that was a simple update check, easily disableable and also a known thing for terminal emulators to do (OTTOMH, I know WezTerm does the same. Also many other programs (that are not necessarily TEs) do the same but I digress). It's sensible (how better would you do it? And anyways, it's simple, can be disabled, and is actually useful and something many people would want enabled), and rather safe (code path is very well defined, minimal information is transmitted (IIRC it doesn't even send what version of kitty you're using, but merely asks the server what the latest is, terminates the connection, and locally compares the server-returned version to its own version!) and even a total takeover of the server by a malicious actor would have no impact). I'd also say that it being a "privacy violation" is pretty much nil. Now a secrecy violation, I suppose you could call it a very minor one, in that it informs the server and perhaps your DNS provider that you were presumably for for at least one brief moment shortly before the arrival of the ping either running the kitty TE or proxying the connection of somebody who was, but then again, is there really a problem with that? Kovid is justified in shutting down complaints by secrecy advocates who waste his time with non-issues, particularly in light of how much actual work he does Disclaimer: my knowledge is current as of a week or two ago of bored perusal. I'm having some trouble finding the discussions where all was talked about (browser history bad) and value a prompt response over verified correctness here

@@BrodieRobertson I'm not arguing that in a "real" use-case, it's a dumb thing to do. That's not what I'm arguing at all. What I'm saying is that I think it's actually a really clever way for malicious actors to lure junior developers into giving them their access!

No it's a 3rd party plugin manager

A lot of people use ZSH and run "plugins"

@@BrodieRobertson Sure, but they remain a minority among a minority of computer users, likely limited to personal computing. I can't imagine many servers or embedded platforms running anything other than the default shell for their distribution. (Insert "ed is the default text editor" copypasta) And how much overlap is there between the sorts of people who run zsh with plugins and the sorts who don't know not to curl stuff in their .zshrc?

@@BrodieRobertson I am one of them, yea. I mean why those guys set this stuff up?

26 as of a few weeks ago

@@BrodieRobertson you ae young. I thought you were older. You missed out on the old days of technology that I came from.

Windows is even worse for security wdym

lol

Lmfao

this but unironically. windows is more secure than linux.

Too much malware is designed for Windows 10 and 11. That's why I run Vista. Security in obscurity!!??!!??!