- the domain in the curlbashware URL could be less shady than sh.rustup.rs
- the "rustup is an official Rust project" claim on https://rustup.rs/ could be a link to a page somewhere on rust-lang.org that confirms that rustup.rs is the site to use
- the domain in the curlbashware URL could be less shady than sh.rustup.rs
The domain is only as shady as it is unfamiliar. It's not shady to me since I recognize it as the canonical domain of the recommended installer for Rust, "rustup".
- the "rustup is an official Rust project" claim on https://rustup.rs/ could be a link to a page somewhere on rust-lang.org that confirms that rustup.rs is the site to use
It links to rust-lang.org, whose installation page then describes rustup as the recommended way to install [0]. I suppose it could link directly to the page, but what really does that gain?
It's shady because it's under the TLD for Serbia, while having no obvious connection to Serbia. I have nothing against Serbia, but the Rust project doesn't seem to have any special relationship to that country.
In HN and similar places, it is pretty normal to see a cc-tld used purely because the abbreviation fits. Not everyone is used to that, though. If it were e.g. https://rustup.dev/, that would mitigate this concern.
Also, a bad actor could just as well register https://rustup.dev. Rather than judging a URL in a vacuum based on the TLD, you should instead cross reference the official docs and confirm that the URL is correct.
Is it not? If GitHub were asking me to download and run code from a github.io subdomain without checking a signature, or something of similar risk level, I'd be concerned. I'd also be correct to be concerned, since anyone can put anything in a github.io subdomain -- I'd need to make sure that github actually owns that repo. Strictly speaking that's orthogonal, and github does actually own the github.io domain. The domain still seems suboptimal to me, but I don't make those decisions.
And yes, a bad actor could just as easily register rustup.dev. Nobody ever claimed that checking the TLD is sufficient to make a site trustworthy; only that it appears a bit shady. Unless you're already familiar with Rust (or at least with a particular aspect of startup culture), there's no obvious reason to choose .rs. On the other hand, domains in somepopularsite.unrelatedtld have been a phishing staple for decades -- making the shady vibe at least a little bit reasonable.
I meant that the logic implies that https://github.io is shady because it uses the ccTLD of British Indian Ocean Territory despite being unrelated.
Of course you should cross reference the authenticity of any URL you are about to execute as a shell script. No one is saying not to.
But your point seems to agree with mine: it’s only as shady as it is unfamiliar. The answer shouldn’t be to come up with a URL that lowers your guard. Instead, users should get familiar.
"the domain in the curlbashware URL could be less shady than sh.rustup.rs"
Relying on a familiar looking domain doesn't get you much security, especially with internationalized domain names where what a domain name appears like in one language could actually be very different in another.
- the domain in the curlbashware URL could be less shady than sh.rustup.rs
- the "rustup is an official Rust project" claim on https://rustup.rs/ could be a link to a page somewhere on rust-lang.org that confirms that rustup.rs is the site to use