Using wget in cron jobs is insane

[samwaxxawmas]

I can't think of any conceivable reason for the "Proxmox VE Cron LXC Updater" to include the wget request to re-download the script which performs the LXC updates every time the job is run.

It's a massive security flaw to pull and execute un-inspected, arbitrary code on a regular basis.
The script is small and static.
Why does it need to be fetched every run!?!?

[argsnd]

I just saw that and came here to see if anyone else had said this. As much as we might trust @tteck if someone malicious gains access to this repository they have a vector to run whatever code they want as root on god knows how many machines. I've saved the script and updated my crontab to run it locally, and would recommend others do the same.

[samwaxxawmas]

Also I'm not sure we have any reason to trust @tteck - I haven't been able to find any information about this account as an individual, entity, or group. No name, no personal site, no other repositories... It is just a completely anonymous github account with no other web presence, yet these scripts are blindly executed by a huge number of Proxmox users.

[tteck]

I understand the importance of transparency and trust, especially in open-source projects where scripts are widely used.

Regarding my anonymity, I choose to focus on contributing to the community through the Proxmox VE Helper-Scripts project rather than building a personal web presence. My work on GitHub is aimed at providing helpful tools to the Proxmox community, and I believe the quality of the scripts and the feedback from users can serve as a testament to their safety and reliability.

That said, I always encourage users to review any script before executing it. Security and due diligence should never be compromised.

[samwaxxawmas]

Appreciate the response. Do you intend to address the issue by caching the upgrade script locally?

[tteck]

I see no issue to address. The user has the flexibility to download, modify their cron and run the update-lxcs-cron.sh script locally if they are uncomfortable with its current setup.

Download:

wget -q https://github.com/tteck/Proxmox/raw/main/misc/update-lxcs-cron.sh

[samwaxxawmas]

If I get some free time I might try to file a PR to change this - Unfortunately the LXC-Updater script does occasionally change, so users would have to manually run a new LXC-Updater-Updater script 🤷