This conversation started when you said you don't see any rational basis for the criticism of running wget/install as root when no vetting takes place on conventional installations. My post wasn't a plug for Nginx, but an imploring to know what you install.
Since I can't know everything that's running on my system, I'd trust that from some place that actually does vetting. It doesn't need to be OpenBSD, but some competent source with an established record for security.
That's not tautology. It's sane practice that I wish more people followed.
The wget/shell install as root is presumptuous in the extreme for a young project with no history. In fact, many young projects, whose security we know nothing about, have similar installations and that's a bad precedent to set and continue.
Yes, but at this point, of course you won't want to use the OP's software, or any other newish project linked on Hacker News. The method of installation (which is what we were talking about here) isn't the problem, because you wouldn't use anything from him because he isn't OpenBSD. And that's OK — you can be as conservative as you like. It just had me confused as to why you were bringing it up.
because you wouldn't use anything from him because he isn't OpenBSD
My sarcasm detector must be malfunctioning. Who said I don't want to use his software or install anything linked on HN because they're new? I've checked out and installed plenty of things linked on HN, not because they're new, but because they're interesting. But lax procedures like the root shell install aren't good indicators.
In fact, I was just going over his install script to see whether it's worth installing and test, but seeing things like this :
# The umask is ridiculous, or mkdir does not conform to POSIX,
# or it failed possibly due to a race condition. Create the
# directory the slow way, step by step, checking for races as we go.
case $dstdir in
/*) prefix='/';;
-*) prefix='./';;
*) prefix='';;
esac
> My sarcasm detector must be malfunctioning. Who said I don't want to use his software or install anything linked on HN because they're new? I've checked out and installed plenty of things linked on HN, not because they're new, but because they're interesting. But lax procedures like the root shell install aren't good indicators.
Oh, my apologies. I think the context of your other comments caused me to misunderstand that one. Your initial comment was simply "Nginx is part of the base OpenBSD install," and I read your later comment as an explanation of that, which made it sound to me like "I'm OK with nginx because it comes with OpenBSD and not OK with the OP's server because he's not a trusted organization." I understand better now.
And I apologize as well. My posts were venturing over to the pushy/rude side and I don't want that to be the case.
Truth is that I do enjoy seeing new projects like this because it forces me to look at things with a fresh perspective. Yes, the install method did give me some pause, but maybe I've been spoiled by things that I'm comfortable with so I welcome the chance to pour over the code for something totally different.
Since I can't know everything that's running on my system, I'd trust that from some place that actually does vetting. It doesn't need to be OpenBSD, but some competent source with an established record for security.
That's not tautology. It's sane practice that I wish more people followed.
The wget/shell install as root is presumptuous in the extreme for a young project with no history. In fact, many young projects, whose security we know nothing about, have similar installations and that's a bad precedent to set and continue.