Reproducers are standard fare and it's not like the code in this case is obfuscated. Are magic code goblins going to come and invoke Ken Thompson's untrustable computing and make your computer install windows and join a botnet or something?
There's no pipe involved in the GPs posting. It downloads a source file and the post even points out to check the file before compiling.
I actually copied and pasted the test code from the original advisory. Should I have typed it in with my own bare fingers to be more secure?
I agree with your sentiment in general, you just picked the wrong example to bash here.
I was responding to the later posts who were confused as to why someone would laugh at seeing that. You're right that you said to check and I wasn't trying to bash that post at all.
That aside, I actually did type it into my disposable VM. The theory being that if there was something subtle, it would force me either to type it wrong and not be exploited due to cognitive blindness or I'd catch the problem and avoid it.
I've read too many IOCC entries and I probably am a bit paranoid.
The average Linux IT guy will not read the C code. Many of them wouldn't be able to really understand what it does either. And this is best case code is simple and easy to grok.
If you're not reading the code you can just as well curl-and-pipe it. However, we run so much code on our computers that is trusted-by-association (oh, that's from apache.org, that's probably safe!) that it probably does not matter anyways.
I agree, it is funny, but we run code we can't even see all day long. This is only 38 LOC. Anyone who is going to run it, however, should make sure they understand it.
