2. Why should I have to download text to __read text__?
3. We don't want to normalize unnecessary behavior that is something scammers and bad actors can easily take advantage of.
While I don't believe the leak is nefarious or contains an exploit, normalizing a requirement to download files that can issue exploits -- when there are easy alternatives that make this unnecessary -- just helps create the exact type of environment that scammers thrive in. 3 is incredibly important. If we're going to call out scammers we shouldn't do it in a manner where we're enabling an environment for more scammers to thrive in. Doing what's done here just created a rich opportunity for hackers who can now post a "rabbit source code leak" and just provide people with a different link. Makes for easy picking. Uncompressed and readable code just makes this harder and easier for people to determine if something nefarious is going on.
It's not a single file unless it's tar'd or compressed or whatever. It's completely normal to distribute software projects as some form of archive. This is doubly true for a "leak" like this where you want the single file to spread around.
I agree that it would be nice to have it browsable online, like in a github repo or whatever, but that's a separate issue.
> It's completely normal to distribute software projects as some form of archive
Again, I think you're missing my point
>> normalizing a requirement to download files that can issue exploits -- when there are easy alternatives that make this unnecessary -- just helps create the exact type of environment that scammers thrive in
Yes, it is "normal" and that is exactly the problem.
Ask yourself this
Is there a reasonable alternative?
Is downloading necessary?
I think you'll find that the answer to both is unambiguously "no." I think you'll also recognize that having the readable source __also__ unambiguously creates higher utility.
So you don't need to explain to me that this stuff is normal because I already understand that (and am actively demonstrating a knowledge of this). I realize communication isn't always obvious, but if someone is telling you that you're missing the point of what they're saying, please consider that you might actually be missing the point rather than doubling down. Even if you aren't, someone telling you that indicates that somewhere there's a miscommunication, and that needs to be resolved.
I would prefer that it is distributed as a zip. It allows me to easily get the entire file, and hash it to make sure it's the same file as other people are getting, and have an archive of it.
I would also like to be able to browse it online, but this is a usability issue for strictly when I'm intending to read it in a browser alone.
As to your final paragraphs referring to communication and me "explainig to you that this stuff is normal", you specifically said that "We don't want to normalize unnecessary behavior" which implies that you do not think it is already normalized. You're also implying that I should have altered my interpretation of your words when you said that I was missing your point, even though you didn't say I was missing your point until the same reply.
In any case, I think I understand your POV regarding archives, and I disagree.
> I would prefer that it is distributed as a zip. It allows me to easily get the entire file, and hash it to make sure it's the same file as other people are getting, and have an archive of it.
I mean hosting it on any GitHub alternative makes this possible too. We also get better archival because when things change, we can see. Considering this says "Part 1" I expect things to change. History tracking is better for archival.
> you specifically said that "We don't want to normalize unnecessary behavior" which implies that you do not think it is already normalized.
That's not accurate. Here's a counter example "We don't want to normalize clickbait headlines." Clickbait headlines are already normalized, that does not mean we want them to be nor does it mean we should accept them and not fight against them. I'm sure you can find many other similar examples.
To me the question is, why would you put source code on github if you're not going to make it uncompressed? What's the point of using a source code hosting website if your payload is a link to an upload site? Pastebin sites have been around for years.
Why does a user need to download a file to achieve the goals? Does doing so provide added utility?
Does obscurification provide some benefit?
Does distribution in this manner help normalize environments which scammers take advantage of?
I'd argue:
- Don't make users download things they don't have to.
- Serving in plain text gives higher utility as users can view it on any device (e.g. mobile. Am I the only one that reads repos on mobile?)
- A GitHub alternative also provides the capacity to download an archived zip, thus achieving any benefits that aren't obscurification related
- Git helps for better archiving as we can have a track record of commits and changes (this is labeled "Part 1"!)
- Did no one else notice that there are ".github" directories with workflows? But there is no ".git" folder? I'd honestly like that...
- While a zip itself is not an executable and not generally dangerous in of itself, scammers (hackers) do take advantage of such environments. Because you can... change a file extension. Or because a user may double click the zip to extract, but this will cause execution. Or idk, hackers are fucking smart and people are dumb.
I'm a bit peeved that people feel the need to explain to me that a zip isn't nefarious in of itself, because that's not what I was concerned with (and that there's several such comments and we don't need to keep repeating the same comment...). My concern is with how such formatting is (as best as I can tell) not necessary, suboptimal, and normalizes practices that nefarious actors take advantage of. This topic is obviously hot, so I won't be surprised if there are "alternative links" that could just contain straight up maleware. Yeah, the user has to execute it, but people are dumb, lazy, and/or tired and there is a *better* form of distribution that just doesn't leave this script-kiddy style attack around. Like for fuck's sake, people at intelligence agencies plug in USBs they find on the ground...
I suppose the risk of a 0-day in the compression format, given we’re in the post-xz-era. Publishing the source code in clear text would alleviate such risk for the consumer
