Did you test your gluetun setup manually and made sure it generally works (e.g. by setting up another container that is connected to gluetun, go into the shell and try to ping a public service, that you’re sure isn’t blocking requests from VPN users)?

If it does work and only qBittorrent can’t connect, it could be due to the trackers blocking VPN users. I’m not torrenting but I’ve read about that in the past.

Yubikeys. I have 2 of them and both have the same entries in case one breaks.

I need to look it up again, but I read about a study that showed that the results improve if you tell the AI that your job depends on it or similar drastic things. It’s kinda weird.

I never tried to win any argument. Hell I was not even aware that I’m participating in one. I just wanted to share the info, that even if the vendor is absolutely trustworthy and even if you validated the script by downloading and looking at it, there’s still another hole that’s not obvious to see.

Yes it’s unlikely, but again, I never said it were. There are also arguments you can run curl with, to tell it to do the download first and then push it through the pipe afterwards, though I don’t know them by heart now.

It won’t cost you anything to set those parameters, when you insist to use curl | bash, just in the off chance that someone’s trying to do what I mentioned.

But I’m also someone who usually validates their downloads with a checksum so maybe I’m just weird. Who knows.

Oh, you’re welcome, kind person :)

It is actually a passive detection based of the timing of the chunk requests. Because curl by default will only request new chunks when the buffer is freed by the shell executing the given commands. This then can be used to detect that someone is not merely downloading but simultaneously executing it. Here’s a writeup about it:

https://web.archive.org/web/20250209133823/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

You can also find some proof-of-concept implementations online to try it out yourself.

You shouldn’t install software from someone you don’t trust anyway because even if the installation process is save, the software itself can do whatever it has permission to.

“So if you trust their software, why not their install script?” you might ask. Well, it is detectable on server side, if you download the script or pipe it into a shell. So even if the vendor it trustworthy, there could be a malicious middle man, that gives you the original and harmless script, when you download it, and serves you a malicious one when you pipe it into your shell.

And I think this is not obvious and very scary.

They dropped the Tidal integration and I’m still heartbroken. It was the best setup for music discovery. Haven’t found a replacement yet.