I am cursed with the affliction of seeing both sides in many situations. Sam is without a doubt right, in that an attack on the users of pow, presumably being small in number, is unlikely. Thomas is also right, in that a situation like this is almost the epitome of low hanging fruit to an attacker with the means and motivation to attack someone installing pow.<p>I think both parties need to be cut some slack. Sam is in a position where he's just trying to get some things done and make it easy on the user to run some great software. Laudable, without a doubt. Thomas is in a situation where he sees the evil that men do, and just wants to point out a tweak that could potentially head off problems for people wanting to opt in to said great software. Also laudable, without a doubt.<p>Where I will come down on one side is the release of gosh, which is difficult to interpret as anything but an attempt to mock one of their positions. The adjective theoretical is perhaps one of the sticking points. The problem here is that the transformation from theoretical to actual in terms of a threat is unfortunately just a couple of hours of coding on my part, and I say this with full knowledge that most participants at HN far exceed my skill level. I would use bog standard tools, all of which are already installed on my laptop - even though I am not in the habit of doing such things. For a myriad of reasons, the least of which being industry health, it shouldn't be necessary for me to pull an Eric Butler in the next few hours for this topic to go from theoretical to actual threat.<p>At the heart of things, there is a disconnect between those in the security industry and those who aren't. If you attempt to be totally secure you'll find yourself in a recursion loop that never exits. If you attempt to just get things done, you can find yourself employing practices that are quite simply horrifying to those who are stuck in said recursion loop. If you attempt to take a moderating view, 9 out of 10 times you'll find yourself agreed with yet your suggestions will mostly go unfollowed. Until some common exploit comes about, at which point those same 9 out of 10 folks will mention that this vulnerability has been known about since the beginning of time.<p>In my view, we all need to meet on some common ground. Sure, if you don't have http-->sh executions going on there are still 10^10 other attack vectors out there. But for right now, that's more or less the only solution the security industry has to offer. Keep plugging away at low hanging fruit. It raises the bar.<p>Bottom line here is that Thomas doesn't seem like too bad a guy to me, and I doubt he's looking to tarnish the reputation of a great piece of software. But he's bringing up a good point that is refreshingly actionable. It's an opportunity to make things just a wee bit better with a minimal amount of disruption. I'd suggest that you mock it at everyone's peril.