Hacker News new | past | comments | ask | show | jobs | submit login

To be honest, how is it any different from downloading a random executable and running it?

In the end you need to basically blindly trust people if you're going to use their software (and the software needs root privileges)

The only problem i have with this is that you can get MITM'd. curl doesn't validate SSL certificates




It is a script that you can audit if you don't pipe it straight away into bash (with sudo!).

I don't know Sealion and they can be amazing and all, so don't get this comment wrong.

If they want to support Linux systems properly, instead of using a script like that, I would recommend them to use packages and add support per distribution. Each distribution has different tools to add and manage services, and there are different ways to boot the system services. It's not just adding symlinks anymore because upstart and systemd, etc.

Also I'd love to cleanly upgrade/uninstall/etc their agent, so add a repo and I'll install your agent with more confidence.

How do I know I don't like how they install their agent? Because I didn't pipe the script directly into bash.


> curl doesn't validate SSL certificates

Curl has an option to explicitly disable cert validation:

-k, --insecure (SSL) This option explicitly allows curl to perform "insecure" SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used.

Maybe you're thinking of an older version?

(edited for formatting)


This is way better than downloading a random executable and running it. (I assume you mean running it as root.) With this, you can grab the install script and see exactly what it uses root for. It only takes a couple minutes. You could even modify the install script to comply to whatever installation scheme you wanted, and probably even make a version that runs without root privs if you're willing to do a few things manually. This mechanism is WAY better than a binary executable installer.

As for the product, it looks really good to me. No mention of encryption of stored data in the privacy statement, which might be a concern for some.

Also it wouldn't hurt to make checksums available for the installer and downloaded tar, for more paranoid folks like me.


Yes we wanted to give you the flexibility to see what we are installing on your servers. We understand the importance of checksums and will be realizing checksums for our agents in future releases.


Let's look at the established alternatives: packages. Packages are checked for corruption and validity.

This isn't so much different from downloading a random executable and running it. Hell, it's worse than that (since the download doesn't get stored for future audits)! But who said executing random executables from the internet is good in the first place?


>To be honest, how is it any different from downloading a random executable and running it?

It isn't, really. Both are creepy.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: