Don't ask people to copy-paste commands into terminal

[caspear]

On https://pond.imperialviolet.org/ you ask people to copy-paste some shell commands directly into a terminal.

That is a terrible security practice, because of https://thejh.net/misc/website-terminal-copy-paste

Please change your wording to ask them to paste the commands elsewhere first, so that it doesn't look like you are trying to attack them.

[shawnl]

I feel this is already part of the threat model:

"The user obtains an authentic copy of Pond.
The computer correctly executes the program and is not compromised by malware."

[caspear]

I think I am being insufficiently clear.

The page explicitly instructs the end user to copy code from a web page and paste it directly into the terminal.

That is not a safe operation, because there is no WYSIWYG when copying from a web browser. Teaching people that it is an acceptable thing to do encourages development and persistence of harmful practices.

I made you a pull request that hopefully demonstrates what I am trying to say.