| The unfortunate problem with this is that while piping directly into bash can be exploited, it remains as one of the easiest ways to install programs. Taking RVM for example. Their instructions are to run this: `curl -sSL https://get.rvm.io | bash -s stable`. The script that is executed is 887 lines long. The installation is "complex", requiring a lot of different stages. Now, the solution to this is "Use a package manager". Sure, that works in a lot of cases. However, when you have something like RVM which is used across several major operating systems, and hundreds of different flavours, each with their own quirks and package managers it suddenly gets difficult to manage each of these. The problem we face is, how can we make it easy to install something, while still being safe and maintainable? Breaking this down further, there are 2 issues to solve. The first is "How do we ensure what we download is what the maintainer says that we should download?". I.e. How do we make sure there are no malicious injections. That one is simple. Use SSL. The second issue is, "I want to install this thing but I don't know if I can trust the installer". Are you crazy!? This isn't an issue. If you don't trust the installer, you sure as hell can't trust the product. If you don't trust either of them, then you automatically don't trust the other and shouldn't be installing it. The result is that, yes, people can maliciously serve up code when you pipe the output of curl through bash without you realising. However, this is no different than blindly trusting and installing a script. |
I can't think of ten pieces of software with excellent installers.
Software distributors generally pay very little attention to the installer. That is because installers are written by people who want to try and make it easy to install something, and don't really care about anything else. If they can get you to install something, helping you remove it isn't their problem.
If they can get you to install something, protecting you from really unlikely things like someone hacking their CDN and delivering malware is a high quality problem: Either they have enough users so that they will be forgiven, or they won't have enough users and the project is abandoned anyway.
I don't trust installers.
I don't trust installers to document what they're doing, or tell me where files go, because they don't.
I don't trust installers to deliver a secure transparent experience, because they don't.
I don't trust installers to consider conflicts, like what else do I have installed because they don't.
I don't trust installers to create security boundaries, protecting me and my files from bugs in the software, because they don't.
For things that are open source, I try to use the software in-tree without installing it. For other things, I evaluate using a virtual machine. Seriously, I don't trust installers because all of you are bad at them.
> The problem we face is, how can we make it easy to install something, while still being safe and maintainable?
Google, Apple, Microsoft, et al have recommended publishing platforms (aka "app stores") that are designed to specifically solve this problem.
For Debian and the derived, we can approach a Debian Maintainer and ask them for help getting it into Debian. For other distributions, we can take similar steps.
If we insist on publishing things ourselves, we can make our software really portable: Let it live in any directory, and not touch any files. Make it easy for the user to verify this.
If we can't do that, we can document the details: Explain all the files we touch and why, and recommend users create separate user accounts (or containers/virtual machines) to really protect themselves. Try to get people used to this level of care because having a positive experience with good software with excellent documentation[1] will give you pause when faced with anything else.
Honestly, the number of programs that want to run as root or as my user account is terrifying, and the amount of work necessary to sandbox unknown apps really makes me not want to bother. I know most people don't worry about this, so purely from a "hurr hurr move fast" point of view, this isn't anything anyone needs to worry about: `curl | bash` is good enough, and will likely be good enough for a long time.
[1]: http://cr.yp.to/qmail.html