IANAL so please don't take my word for it. But if I understood it correctly, this is indeed legal. You don't have to offer your stuff for free. And as long as you let the user decide if they want to pay with money or with data, it's legal. The important part is, that the user needs to give consent, which is the case here. Not talking about the morality of it though.

I need to look it up again, but I read about a study that showed that the results improve if you tell the AI that your job depends on it or similar drastic things. It's kinda weird.

Does anyone have resources for ADHD friendly clean-up techniques? And I don't mean cleaning-up like in "removing dirt" but how to sort your stuff? My main chaos exists because I don't know where to put everything.

I seriously thought about getting a waterproof notepad for that reason

That's some weird automatic sharpening. Use the digital zoom on your phone and and take a picture of trees or hay or whatever. Then you'll have the same artifacts. I wish there was a way to turn it off.

Thank you for your amazing posts! I really enjoy them!

That resonates so well with me. Attending all the meetings, discussing feature requests and evaluating their feasibility is so exhausting. But working overtime for a few days to find and fix the bug that completly halted production? No problem!

One ski boot every night? That's very strange indeed.

You mean Wind🤮ws?

I never tried to win any argument. Hell I was not even aware that I'm participating in one. I just wanted to share the info, that even if the vendor is absolutely trustworthy and even if you validated the script by downloading and looking at it, there's still another hole that's not obvious to see.

Yes it's unlikely, but again, I never said it were. There are also arguments you can run curl with, to tell it to do the download first and then push it through the pipe afterwards, though I don't know them by heart now.

It won't cost you anything to set those parameters, when you insist to use curl | bash, just in the off chance that someone's trying to do what I mentioned.

But I'm also someone who usually validates their downloads with a checksum so maybe I'm just weird. Who knows.

It is actually a passive detection based of the timing of the chunk requests. Because curl by default will only request new chunks when the buffer is freed by the shell executing the given commands. This then can be used to detect that someone is not merely downloading but simultaneously executing it. Here's a writeup about it:

https://web.archive.org/web/20250209133823/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

You can also find some proof-of-concept implementations online to try it out yourself.

You shouldn't install software from someone you don't trust anyway because even if the installation process is save, the software itself can do whatever it has permission to.

"So if you trust their software, why not their install script?" you might ask. Well, it is detectable on server side, if you download the script or pipe it into a shell. So even if the vendor it trustworthy, there could be a malicious middle man, that gives you the original and harmless script, when you download it, and serves you a malicious one when you pipe it into your shell.

And I think this is not obvious and very scary.