reply on: My 2 sats constructive critique for Lightning.Pub / ShockWallet \ stacker news ~lightning

pull down to refresh

0 sats \ 5 replies \ @adlai 4 Nov \ parent \ on: My 2 sats constructive critique for Lightning.Pub / ShockWallet lightning

wget -qO- https://tdeploy.lightning.pub | bash

Please don't encourage anyone to develop the habit of piping directly from curl/wget into bash!

Downloading a temporary copy gives the opportunity to look over and possibly customize for your system before running it, and also makes it easier to resume from partway if it failed and needed intervention.

17 sats \ 4 replies \ @DarthCoin OP 4 Nov

Then we are going bsck to square one where the new user is lost in complex commands.

A single line comnand is much easier for any user.

If you really want to help, take the software and make it a flatpak. We have to make it easier not more complicated.

17 sats \ 1 reply \ @supratic 4 Nov

It's probably worth to define which kind of user are we talking about, because not everyone operate cli and not everyone is comfortable running flatpaks without knowing what's inside.

These are two different scenarios, and LNpub is probably at an early stage still. Feedback like this help the product grow, offering various options for different type of users could be really helpful.

0 sats \ 0 replies \ @adlai 4 Nov

not everyone operate cli and not everyone is comfortable running flatpaks without knowing what's inside.

Last time I setup a desktop environment, KDE Plasma included a graphical installer that handled all the Flatpak machinery while still showing you who the publisher was. I'm not familiar enough with the entire "Desktop Linux" space to make an absolute comparison, although the UX seemed like something a non-technical user could figure out and even rely upon for making security-related decisions.

0 sats \ 1 reply \ @adlai 4 Nov

I realise there's a tradeoff, and you're definitely correct about the usability.

Maybe the better approach is a verbal warning, separate from the copy-pasteable command, along the lines of "this command installs a program, don't run it on critical systems" and encouraging that people have separate hardware for critical systems. That's definitely twice as much maintenance, although it is much easier for someone to reason about security considerations when the sensitive system is a physically separate computer.

133 sats \ 0 replies \ @justin_shocknet 4 Nov

It's a pretty common practice, I think I borrowed the idea from nvm, bun, and other things

Even more stuff just adds apt repos to the keyring which is worse imo.

This way you can view the code in browser and see it runs from GitHub.

We did recently drop the sudo requirement for user space isolation.

It's really meant for quick lean VPSs or old laptops nodes without the docker bloat.

If someone has a critical system and isnt cloning from GitHub manually they got bigger issues.