this post was submitted on 21 May 2024
146 points (100.0% liked)

Programming

423 readers
4 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev



founded 1 year ago
MODERATORS
 

New favorite tool 😍

top 50 comments
sorted by: hot top controversial new old
[–] thingsiplay 62 points 6 months ago* (last edited 6 months ago) (2 children)

Basically another shell scripting language. But unlike most other languages like Csh or Fish, it can compile back to Bash. At the moment I am bit conflicted, but the thing it can compile back to Bash is what is very interesting. I'll keep an eye on this. But it makes the produced Bash code a bit less readable than a handwritten one, if that is the end goal.

curl -s "https://raw.githubusercontent.com/Ph0enixKM/AmberNative/master/setup/install.sh" | $(echo /bin/bash)

I wish this nonsense of piping a shell script from the internet directly into Bash would stop. It's a bad idea, because of security concerns. This install.sh script eval and will even run curl itself to download amber and install it from this url

url="https://github.com/Ph0enixKM/${__0_name}/releases/download/${__2_tag}/amber_${os}_${arch}" ... echo "Please make sure that root user can access /opt directory.";

And all of this while requiring root access.

I am not a fan of this kind of distribution and installation. Why not provide a normal manual installation process and link to the projects releases page: https://github.com/Ph0enixKM/Amber/releases BTW its a Rust application. So one could build it with Cargo, for those who have it installed.

[–] FizzyOrange@programming.dev 9 points 6 months ago (4 children)

I wish this nonsense of piping a shell script from the internet directly into Bash would stop. It’s a bad idea, because of security concerns.

I would encourage you to actually think about whether or not this is really true, rather than just parroting what other people say.

See if you can think of an exploit I perform if you pipe my install script to bash, but I can't do it you download a tarball of my program and run it.

while requiring root access

Again, think of an exploit I can do it you give me root, but I can't do if you run my program without root.

(Though I agree in this case it is stupid that it has to be installed in /opt; it should definitely install to your home dir like most modern languages - Go, Rust, etc.)

[–] onlinepersona@programming.dev 28 points 6 months ago (1 children)

I would encourage you to actually think about whether or not this is really true, rather than just parroting what other people say.

I would encourage you to read up on the issue before thinking they haven't.

See if you can think of an exploit I perform if you pipe my install script to bash, but I can’t do it you download a tarball of my program and run it.

Here is the most sophisticated exploit: Detecting the use of "curl | bash" server side.

It is also terrible conditioning to pipe stuff to bash because it's the equivalent of "just execute this .exe, bro". Sure, right now it's github, but there are other curl|bash installs that happen on other websites.

Additionally a tar allows one to install a program later with no network access to allow reproducible builds. curl|bash is not repoducible.

Anti Commercial-AI license

[–] BatmanAoD@programming.dev 4 points 6 months ago (2 children)

But..."just execute this .exe, bro" is generally the alternative to pipe-to-Bash. Have you personally compiled the majority of software running on your devices?

[–] DaPorkchop_@lemmy.ml 15 points 6 months ago (2 children)

No, it was compiled by the team which maintains my distro's package repository, and cryptographically verified to have come from them by my package manager. That's a lot different than downloading some random executables I pulled from a website I'd never heard of before and immediately running them as root.

[–] BatmanAoD@programming.dev 3 points 6 months ago

Yes, I agree package managers are much safer than curl-bash. But do you really only install from your platform's package manager, and only from its central, vetted repo? Including, say, your browser? Moreover, even if you personally only install pre-vetted software, it's reasonable for new software to be distributed via a standalone binary or install script prior to being added to the package manager for every platform.

load more comments (1 replies)
[–] onlinepersona@programming.dev 6 points 6 months ago (1 children)

Are you seriously comparing installing from a repo or "app store" to downloading a random binary on the web and executing it?

P.S I've compiled a lot of stuff using nix, especially when it's not in the cache yet or I have to modify the package myself.

Anti Commercial-AI license

load more comments (1 replies)
[–] tgt@programming.dev 12 points 6 months ago* (last edited 6 months ago) (1 children)

It is absolutely possible to know as the server serving a bash script if it is being piped into bash or not purely by the timing of the downloaded chunks. A server could halfway through start serving a different file if it detected that it is being run directly. This is not a theoretical situation, by the way, this has been done. At least when downloading the script first you know what you'll be running. Same for a source tarball. That's my main gripe with this piping stuff. It assumes you don't even care about the security.

load more comments (1 replies)
[–] nick@midwest.social 3 points 6 months ago (1 children)

Whoa, that’s a real bad take there bud. You are completely and utterly wrong.

load more comments (1 replies)
load more comments (1 replies)
[–] eveninghere 6 points 6 months ago (1 children)

I mean, you can always just download the script, investigate it yourself, and run it locally. I'd even argue it's actually better than most installers.

[–] 30p87@feddit.de 6 points 6 months ago* (last edited 6 months ago)

Install scripts are just the Linux versions of installer exes. Hard and annoying to read, probably deviating from standard behaviour, not documenting everything, probably being bound to specific distros and standards without checks, assuming stuff way too many times.

[–] zygo_histo_morpheus@programming.dev 30 points 6 months ago (1 children)

Looking at the example

Why does the generated bash look like that? Is this more safe somehow than a more straighforward bash if or does it just generate needlessly complicated bash?

[–] thingsiplay 16 points 6 months ago (1 children)

Especially as Bash can do that anyway with if [ "${__0_age}" -lt 18 ] as an example, and could be straight forward. Also Bash supports wildcard comparison, Regex comparison and can change variables with variable substitution as well. So using these feature would help in writing better Bash. The less readable output is expected though, for any code to code trans-compiler, its just not optimal in this case.

[–] BatmanAoD@programming.dev 12 points 6 months ago (1 children)

It's probably just easier to do all arithmetic in bc so that there's no need to analyze expressions for Bash support and have two separate arithmetic codegen paths.

[–] thingsiplay 8 points 6 months ago (1 children)

But its the other way, not analyzing Bash code. The code is already known in Amber to be an expression, so converting it to Bash expression shouldn't be like this I assume. This just looks unnecessary to me.

[–] BatmanAoD@programming.dev 4 points 6 months ago* (last edited 6 months ago) (2 children)

No, I mean, analyzing the Amber expression to determine if Bash has a native construct that supports it is unnecessary if all arithmetic is implemented using bc. bc is strictly more powerful than the arithmetic implemented in native Bash, so just rendering all arithmetic as bc invocations is simpler than rendering some with bc and some without.

Note, too, that in order to support Macs, the generated Bash code needs to be compatible with Bash v3.

load more comments (2 replies)
[–] fourwd@programming.dev 28 points 6 months ago* (last edited 6 months ago)

The language idea is good, but: THREE.WebGLRenderer: A WebGL context could not be created. Reason: WebGL is currently disabled.

Seriously? Why do I need WebGL to read TEXT in docs? :/

[–] Euro@programming.dev 26 points 6 months ago* (last edited 6 months ago) (1 children)

As someone who has done way too much shell scripting, the example on their website just looks bad if i'm being honest.

I wrote a simple test script that compares the example output from this script to how i would write the same if statement but with pure bash.

here's the script:

#!/bin/bash

age=3

[ "$(printf "%s < 18\n" "$age" | bc -l | sed '/\./ s/\.\{0,1\} 0\{1,\}$//')" != 0  ] && echo hi

# (( "$age" < 18 )) && echo hi

Comment out the line you dont want to test then run hyperfine ./script

I found that using the amber version takes ~2ms per run while my version takes 800microseconds, meaning the amber version is about twice as slow.

The reason the amber version is so slow is because: a) it uses 4 subshells, (3 for the pipes, and 1 for the $() syntax) b) it uses external programs (bc, sed) as opposed to using builtins (such as the (( )), [[ ]], or [ ] builtins)

I decided to download amber and try out some programs myself.

I wrote this simple amber program

let x = [1, 2, 3, 4]
echo x[0]

it compiled to:

__AMBER_ARRAY_0=(1 2 3 4);
__0_x=("${__AMBER_ARRAY_0[@]}");
echo "${__0_x[0]}"

and i actually facepalmed because instead of directly accessing the first item, it first creates a new array then accesses the first item in that array, maybe there's a reason for this, but i don't know what that reason would be.

I decided to modify this script a little into:

__AMBER_ARRAY_0=($(seq 1 1000));
__0_x=("${__AMBER_ARRAY_0[@]}");
echo "${__0_x[0]}"

so now we have 1000 items in our array, I bench marked this, and a version where it doesn't create a new array. not creating a new array is 600ms faster (1.7ms for the amber version, 1.1ms for my version).

I wrote another simple amber program that sums the items in a list

let items = [1, 2, 3, 10]
let x = 0
loop i in items {
    x += i
}

echo x

which compiles to

__AMBER_ARRAY_0=(1 2 3 10);
__0_items=("${__AMBER_ARRAY_0[@]}");
__1_x=0;
for i in "${__0_items[@]}"
do
    __1_x=$(echo ${__1_x} '+' ${i} | bc -l | sed '/\./ s/\.\{0,1\}0\{1,\}$//')
done;
echo ${__1_x}

This compiled version takes about 5.7ms to run, so i wrote my version

arr=(1 2 3 10)
x=0
for i in "${arr[@]}"; do
    x=$((x+${arr[i]}))
done
printf "%s\n" "$x"

This version takes about 900 microseconds to run, making the amber version about 5.7x slower.

Amber does support 1 thing that bash doesn't though (which is probably the cause for making all these slow versions of stuff), it supports float arithmetic, which is pretty cool. However if I'm being honest I rarely use float arithmetic in bash, and when i do i just call out to bc which is good enough. (and which is what amber does, but also for integers)

I dont get the point of this language, in my opinion there are only a couple of reasons that bash should be chosen for something a) if you're just gonna hack some short script together quickly. or b) something that uses lots of external programs, such as a build or install script.

for the latter case, amber might be useful, but it will make your install/build script hard to read and slower.

Lastly, I don't think amber will make anything easier until they have a standard library of functions.

The power of bash comes from the fact that it's easy to pipe text from one text manipulation tool to another, the difficulty comes from learning how each of those individual tools works, and how to chain them together effectively. Until amber has a good standard library, with good data/text manipulation tools, amber doesn't solve that.

[–] DevopsPalmer@lemmy.dbzer0.com 10 points 6 months ago

This is the complete review write up I love to see, let's not get into the buzzword bingo and just give me real world examples and comparisons. Thanks for doing the real work πŸ™‚

[–] popcar2@programming.dev 14 points 6 months ago (1 children)

Compiling to bash seems awesome, but on the other hand I don't think anyone other than the person who wrote it in amber will run a bash file that looks like machine-generated gibberish on their machine.

[–] FizzyOrange@programming.dev 16 points 6 months ago

I disagree. People run Bash scripts they haven't read all the time.

Hell some installers are technically Bash scripts with a zip embedded in them.

[–] sudo@programming.dev 11 points 6 months ago

I'm very suspicious of the uses cases for this. If the compiled bash code is unreadable then what's the point of compiling to bash instead of machine code like normal? It might be nice if you're using it as your daily shell but if someone sent me "compiled" bash code I wouldn't touch it. My general philosophy is if your bash script gets too long, move it to python.

The only example I can think of is for generating massive install.sh

[–] eveninghere 10 points 6 months ago (1 children)

Why not compile it to sh though.

[–] jack@monero.town 4 points 6 months ago* (last edited 6 months ago) (1 children)

There is no sh shell. /bin/sh is just a symlink to bash or dash or zsh etc.

But yes, the question is valid why it compiles specifically to bash and not something posix-compliant

[–] emptiestplace@lemmy.ml 13 points 6 months ago (1 children)
[–] jack@monero.town 2 points 6 months ago* (last edited 6 months ago) (1 children)

Yes, there was the bourne sh on Unix but I don't see how that's relevant here. We're talking about operating systems in use. Please explain the downvotes

[–] BatmanAoD@programming.dev 10 points 6 months ago (1 children)

It's relevant because there are still platforms that don't have actual Bash (e.g. containers using Busybox).

sh is not just a symlink: when invoked using the symlink, the target binary must run in POSIX compliant mode. So it's effectively a sub-dialect.

Amber compiles to a language, not to a binary. So "why doesn't it compile to sh" is a perfectly reasonable question, and refers to the POSIX shell dialect, not to the /bin/sh symlink itself.

[–] jack@monero.town 6 points 6 months ago
[–] AdamBomb@lemmy.sdf.org 9 points 6 months ago

I like the idea in principle. For it to be worth using though, it needs to output readable Bash.

[–] Leate_Wonceslace@lemmy.dbzer0.com 6 points 6 months ago (2 children)

I'm a mathematician with very limited programming experience. Can someone explain the significance of this?

[–] Tyfon@programming.dev 12 points 6 months ago (1 children)

Bash is one of the most used shell language, it's installed on almost all Linux and Mac systems and can also be used on windows. Almost no one likes writing it as it is convoluted and really really hard to read and write. There are many replacement language's for it, but using them is troublesome, because of incompatibilities. Amber is compiled which will solve problems with compatibility and it seems that language itself is very readable. On top of that it has most futures that modern programmers need.

Thank you, I think I understand now. πŸ™‚

[–] choroalp@programming.dev 8 points 6 months ago

Basically dealing with abandoned-by-god syntax and limitations of bash. You can abstract them away!

[–] green_dot@le.fduck.net 4 points 6 months ago

when people have too much free time

[–] cadekat@pawb.social 4 points 6 months ago (1 children)

Here's a language that does bash and Windows batch files: https://github.com/batsh-dev-team/Batsh

I haven't used either tool, so I can't recommend one over the other.

[–] thingsiplay 2 points 6 months ago (1 children)

The only issue I have is the name of the project. They should have gone with a more distinct name.

[–] vvv@programming.dev 8 points 6 months ago

I can't believe they didn't with go with BatShIt. it's right there! they were SO close!

[–] morrowind@lemmy.ml 4 points 6 months ago (1 children)

How is it using something like this vs just a bash alternative. Can you use this in the shell or only as a compiled language?

[–] FizzyOrange@programming.dev 2 points 6 months ago (1 children)

If you can use an alternative then do that. This is for situations where you can't use an alternative or don't want users to have to install anything else.

[–] morrowind@lemmy.ml 2 points 6 months ago (1 children)

you still have to install this though

[–] FizzyOrange@programming.dev 4 points 6 months ago

You don't have to install it on the machine where the script is run. That's the point.

[–] Code@programming.dev 4 points 6 months ago (1 children)
[–] syd@lemy.lol 3 points 6 months ago

I’m trying but I’m shooting my own foot all the time 😒

[–] bss03@infosec.pub 3 points 6 months ago

Late to the party. Idris had a bash backend (i.e. you could compile Idris to bash), and it's already bit rotted with new Idris versions.

I hope the language is at least as cool as Idris.

[–] fmstrat@lemmy.nowsci.com 3 points 6 months ago

Why not write.. Bash?

[–] yetAnotherUser@lemmy.ca 2 points 6 months ago (2 children)

I checked the docs, and I'm a bit confused with one thing. They show that you can capture the stdout of a command into a variabe, but they never show stderr being captured. How would that work?

load more comments (2 replies)
[–] pkill@programming.dev 2 points 6 months ago

Cool to see that after Cotowali was sadly abandoned due to lack of funding. Please, fund the FOSS projects you use!

[–] starman@programming.dev 2 points 6 months ago

Cool website

load more comments
view more: next β€Ί