Amber - the programming language compiled to Bash
(amber-lang.com)
from syd@lemy.lol to programming@programming.dev on 21 May 2024 17:59
https://lemy.lol/post/25353828
from syd@lemy.lol to programming@programming.dev on 21 May 2024 17:59
https://lemy.lol/post/25353828
New favorite tool š
threaded - newest
One day, someoneās going to have to debug machine-generated Bash. <shivver>
You can do that today. Just ask Chat-GPT to write you a bash script for something non-obvious, and then debug what it gives you.
For maximum efficiency weād better delegate that task to an intern or newly hired jr dev
This is glorious.
<img alt="" src="https://lemmy.world/pictrs/image/a066937e-0af9-44b7-93e9-6b42bdbc5301.jpeg">
What are you talking about?
About the
let
keyword, which is used to declare a variable.I thought so, but why do they object? Do they want Bashās error-prone implicit variable declaration?
They, most probably, just didnāt like the name.
The Javascript style syntax
let
is also used to declare values in better languages than JavaScript, such as Haskell and ML family languages like OCaml and F#How is it using something like this vs just a bash alternative. Can you use this in the shell or only as a compiled language?
If you can use an alternative then do that. This is for situations where you canāt use an alternative or donāt want users to have to install anything else.
you still have to install this though
You donāt have to install it on the machine where the script is run. Thatās the point.
Basically another shell scripting language. But unlike most other languages like Csh or Fish, it can compile back to Bash. At the moment I am bit conflicted, but the thing it can compile back to Bash is what is very interesting. Iāll keep an eye on this. But it makes the produced Bash code a bit less readable than a handwritten one, if that is the end goal.
I wish this nonsense of piping a shell script from the internet directly into Bash would stop. Itās a bad idea, because of security concerns. This install.sh script eval and will even run curl itself to download amber and install it from this url
And all of this while requiring root access.
I am not a fan of this kind of distribution and installation. Why not provide a normal manual installation process and link to the projects releases page: github.com/Ph0enixKM/Amber/releases BTW its a Rust application. So one could build it with Cargo, for those who have it installed.
I would encourage you to actually think about whether or not this is really true, rather than just parroting what other people say.
See if you can think of an exploit I perform if you pipe my install script to bash, but I canāt do it you download a tarball of my program and run it.
Again, think of an exploit I can do it you give me root, but I canāt do if you run my program without root.
(Though I agree in this case it is stupid that it has to be installed in
/opt
; it should definitely install to your home dir like most modern languages - Go, Rust, etc.)I would encourage you to read up on the issue before thinking they havenāt.
Here is the most sophisticated exploit: Detecting the use of ācurl | bashā server side.
It is also terrible conditioning to pipe stuff to bash because itās the equivalent of ājust execute this
.exe
, broā. Sure, right now itās github, but there are other curl|bash installs that happen on other websites.Additionally a tar allows one to install a program later with no network access to allow reproducible builds. curl|bash is not repoducible.
Anti Commercial-AI license
Butā¦ājust execute this
.exe
, broā is generally the alternative to pipe-to-Bash. Have you personally compiled the majority of software running on your devices?No, it was compiled by the team which maintains my distroās package repository, and cryptographically verified to have come from them by my package manager. Thatās a lot different than downloading some random executables I pulled from a website Iād never heard of before and immediately running them as root.
Yes, I agree package managers are much safer than curl-bash. But do you really only install from your platformās package manager, and only from its central, vetted repo? Including, say, your browser? Moreover, even if you personally only install pre-vetted software, itās reasonable for new software to be distributed via a standalone binary or install script prior to being added to the package manager for every platform.
Everything youāve ever needed was available in your distroās package manager?
Are you seriously comparing installing from a repo or āapp storeā to downloading a random binary on the web and executing it?
P.S Iāve compiled a lot of stuff using
nix
, especially when itās not in the cache yet or I have to modify the package myself.Anti Commercial-AI license
No, I agree that a package manager or app store is indeed safer than either curl-bash or a random binary. But a lot of software is indeed installed via standalone binaries that have not been vetted by package manager teams, and most people donāt use Nix. Even with a package manager like apt, there are still ways to distribute packages that arenāt vetted by the central authority owning the package repo (e.g. for apt, that mechanism is PPAs). And when introducing a new piece of software, itās a lot easier to distribute to a wide audience by providing a standalone binary or an install script than to get it added to every platformās package manager.
It is absolutely possible to know as the server serving a bash script if it is being piped into bash or not purely by the timing of the downloaded chunks. A server could halfway through start serving a different file if it detected that it is being run directly. This is not a theoretical situation, by the way, this has been done. At least when downloading the script first you know what youāll be running. Same for a source tarball. Thatās my main gripe with this piping stuff. It assumes you donāt even care about the security.
That makes the exploit less detectable sure. Not fundamentally less secure though.
Link btw? I have not heard of an actual attack using this.
.
Whoa, thatās a real bad take there bud. You are completely and utterly wrong.
Convincing rebuttal š
I mean, you can always just download the script, investigate it yourself, and run it locally. Iād even argue itās actually better than most installers.
Install scripts are just the Linux versions of installer exes. Hard and annoying to read, probably deviating from standard behaviour, not documenting everything, probably being bound to specific distros and standards without checks, assuming stuff way too many times.
Compiling to bash seems awesome, but on the other hand I donāt think anyone other than the person who wrote it in amber will run a bash file that looks like machine-generated gibberish on their machine.
See, i disagree because
Lol I barely want to run (or read) human generated bash, machine generated bash sounds like a new fresh hell that I donāt wanna touch with a ten foot pole.
I disagree. People run Bash scripts they havenāt read all the time.
Hell some installers are technically Bash scripts with a zip embedded in them.
<img alt="" src="https://lemmy.world/pictrs/image/a7b596c2-f306-4ef3-8c1e-d398dfbb8342.jpeg">
Thereās a joke here but Iām not clever enough to make it.
what browser are you using? It renders just fine on mobile and desktop to me
Whatever boost defaults to on a note9
Pretty cool bug. Looks like a surreal meme
with no support for associative arrays (dicts / hashmaps) or custom data structs this looks very limited to me
Does Bash support those? I think the idea is that itās basically Bash, as if written by a sane person. So it supports the same features as Bash but without the army of footguns.
it does, well at least associative arrays
A language being compiled should be able to support higher-level language concepts than what the target supports natively. Thatās how compiling works in the first place.
That depends on how readable you want the output to be. Itās already pretty bad on that front. If you start supporting arbitrary features itās going to end up as a bytecode interpreter. Which would be pretty cool too tbf! Has anyone written a WASM runtime in bash? š
Honestly, wouldnāt it be great if POSIX eventually specified a WASM runtime?
Yeah definitely! I wouldnāt hold your breath though. Especially as thatās pretty much an escape route from POSIX. I doubt theyād be too keen to lose power.
Looking at the example
<img alt="" src="https://programming.dev/pictrs/image/2a002f32-9529-4854-af56-c491a672cb88.png">
Why does the generated bash look like that? Is this more safe somehow than a more straighforward bash if or does it just generate needlessly complicated bash?
Especially as Bash can do that anyway with
if [ ā${__0_age}ā -lt 18 ]
as an example, and could be straight forward. Also Bash supports wildcard comparison, Regex comparison and can change variables with variable substitution as well. So using these feature would help in writing better Bash. The less readable output is expected though, for any code to code trans-compiler, its just not optimal in this case.Itās probably just easier to do all arithmetic in
bc
so that thereās no need to analyze expressions for Bash support and have two separate arithmetic codegen paths.But its the other way, not analyzing Bash code. The code is already known in Amber to be an expression, so converting it to Bash expression shouldnāt be like this I assume. This just looks unnecessary to me.
No, I mean, analyzing the Amber expression to determine if Bash has a native construct that supports it is unnecessary if all arithmetic is implemented using
bc
.bc
is strictly more powerful than the arithmetic implemented in native Bash, so just rendering all arithmetic asbc
invocations is simpler than rendering some withbc
and some without.Note, too, that in order to support Macs, the generated Bash code needs to be compatible with Bash v3.
I see, itās a universal solution. But the produced code is not optimal in this case. I believe the Amber code SHOULD analyze it and decide if a more direct and simple code generation for Bash is possible. That is what I would expect from a compilers work. Otherwise the generated code becomes write only, not read only.
Compiled code is already effectively write-only. But I can imagine there being some efficiency gains in not always shelling out for arithmetic, so possibly thatās a future improvement for the project.
That said, my reaction to this project overall is to wonder whether there are really very many situations in which itās more convenient to run a compiled Bash script than to run a compiled binary. I suppose the Bash has the advantage of being truly ācompile once, run anywhereā.
Yeah that shit is completely unreadable
So many forks for something that can be solved entirely with bash inbuilts
I doubt the goal is to produce easily understood bash, otherwise youād just write bash to begin with. Itās probably more similar to a typescript transpiler that takes in a language with different goals and outputs something the interpreter can execute quickly (no comment on how optimized this thing is).
when people have too much free time
The language idea is good, but:
THREE.WebGLRenderer: A WebGL context could not be created. Reason: WebGL is currently disabled
.Seriously? Why do I need WebGL to read TEXT in docs? :/
Why not compile it to sh though.
There is no sh shell. /bin/sh is just a symlink to bash or dash or zsh etc.
But yes, the question is valid why it compiles specifically to bash and not something posix-compliant
lol
Yes, there was the bourne sh on Unix but I donāt see how thatās relevant here. Weāre talking about operating systems in use. Please explain the downvotes
Itās relevant because there are still platforms that donāt have actual Bash (e.g. containers using Busybox).
sh
is not just a symlink: when invoked using the symlink, the target binary must run in POSIX compliant mode. So itās effectively a sub-dialect.Amber compiles to a language, not to a binary. So āwhy doesnāt it compile to
sh
ā is a perfectly reasonable question, and refers to the POSIX shell dialect, not to the/bin/sh
symlink itself.Thanks
Why not writeā¦ Bash?
Hereās a language that does bash and Windows batch files: github.com/batsh-dev-team/Batsh
I havenāt used either tool, so I canāt recommend one over the other.
The only issue I have is the name of the project. They should have gone with a more distinct name.
I canāt believe they didnāt with go with BatShIt. itās right there! they were SO close!
If their official website isnāt batsh.it Iām going to be very sad.
Edit: ā¹ļø
Cool website
Iām a mathematician with very limited programming experience. Can someone explain the significance of this?
Basically dealing with abandoned-by-god syntax and limitations of bash. You can abstract them away!
Bash is one of the most used shell language, itās installed on almost all Linux and Mac systems and can also be used on windows. Almost no one likes writing it as it is convoluted and really really hard to read and write. There are many replacement languageās for it, but using them is troublesome, because of incompatibilities. Amber is compiled which will solve problems with compatibility and it seems that language itself is very readable. On top of that it has most futures that modern programmers need.
Thank you, I think I understand now. š
Late to the party. Idris had a bash backend (i.e. you could compile Idris to bash), and itās already bit rotted with new Idris versions.
I hope the language is at least as cool as Idris.
Iām very suspicious of the uses cases for this. If the compiled bash code is unreadable then whatās the point of compiling to bash instead of machine code like normal? It might be nice if youāre using it as your daily shell but if someone sent me ācompiledā bash code I wouldnāt touch it. My general philosophy is if your bash script gets too long, move it to python.
The only example I can think of is for generating massive
install.sh
Gotta try, the website seems amazing
Cool to see that after Cotowali was sadly abandoned due to lack of funding. Please, fund the FOSS projects you use!
As someone who has done way too much shell scripting, the example on their website just looks bad if iām being honest.
I wrote a simple test script that compares the example output from this script to how i would write the same if statement but with pure bash.
hereās the script:
Comment out the line you dont want to test then run
hyperfine ./script
I found that using the amber version takes ~2ms per run while my version takes 800microseconds, meaning the amber version is about twice as slow.
The reason the amber version is so slow is because: a) it uses 4 subshells, (3 for the pipes, and 1 for the $() syntax) b) it uses external programs (bc, sed) as opposed to using builtins (such as the (( )), [[ ]], or [ ] builtins)
I decided to download amber and try out some programs myself.
I wrote this simple amber program
it compiled to:
and i actually facepalmed because instead of directly accessing the first item, it first creates a new array then accesses the first item in that array, maybe thereās a reason for this, but i donāt know what that reason would be.
I decided to modify this script a little into:
so now we have 1000 items in our array, I bench marked this, and a version where it doesnāt create a new array. not creating a new array is 600ms faster (1.7ms for the amber version, 1.1ms for my version).
I wrote another simple amber program that sums the items in a list
This is the complete review write up I love to see, letās not get into the buzzword bingo and just give me real world examples and comparisons. Thanks for doing the real work š
I like the idea in principle. For it to be worth using though, it needs to output readable Bash.
Why?
Because you still need to be able to understand whatās actually getting executed. Thereās no debugger so youāll still be debugging Bash.
I checked the docs, and Iām a bit confused with one thing. They show that you can capture the stdout of a command into a variabe, but they never show stderr being captured. How would that work?
Like this: āāā $mv file.txt dest.txt$ failed { echo āIt seems that the file.txt does not existā } āāā
Knowing if a command failed and capturing stderr (which contains stuff like error messages) are not the same thing.
Just learn Bash lol
Iām trying but Iām shooting my own foot all the time š¢
Itās okay itās filled with foot guns.
Why and where would this be useful?
As a long-time bash, awk and sed scripter who knows heāll probably get downvoted into oblivion for this my recommendation: learn PowerShell
Itās open-source and completely cross-platform - I use it on Macs, Linux and Windows machines - and you donāt know what youāre missing until you try a fully objected-oriented scripting language and shell. No more parsing text, built-in support for scalars, arrays, hash maps/associative arrays, and more complex types like version numbers, IP addresses, synchronized dictionaries and basically anything available in .Net. Read and write csv, json and xml natively and simply. Built-in support for regular expressions throughout, web service calls, remote script execution, and parallel and asynchronous jobs and lots and lots of libraries for all kinds of things.
Seriously, I know its popular and often-deserved to hate on Microsoft but PowerShell is a kick-ass, cross-platform, open-source, modern shell done right, even if it does have a dumb name imo. Once you start learning it you wonāt want to go back to any other.
I appreciate you sharing your perspective. Mine runs counter to it.
The more PowerShell I learn, the more I dislike it.
As someone who spent 2 years learning and writing PowerShell for workā¦ Itāsā¦ Okay. Way easier to make stuff work then bash, and gets really powerful when you make libraries for it. Butā¦ I prefer Python and GoLang for building scripts and small apps.
Do you write it for work?
I do. Currently I use it mostly for personal stuff as part of my time spent on production support. Importing data from queries, exporting spreadsheets, reading complex json data and extracting needed info, etc. In the past when I was on DevOps used it with Jenkins and various automation processes, and Iāve used it as a developer to create test environments and test data.
Nice! Sounds like a good use case.