[comboy]

Please don't. Why would you want that. Do you really want to put trust in another 3rd party (even if author is great, site can be compromised), just to see some colors in your terminal?

I don't see how do we solve this problem by the way. Most people will always choose convenience over security. And they, as a user, must have some privileges. Even if you ask, they will just go ahead and say yes to get their thing. I understand that. Is there some clever technical fix for this, or do ransomware need to get popular enough to increase users security awareness? It seems to be a really hard problem.

edit: Oh, I'm not very clever, no execution necessary here, just an output from curl. Realized that just after I sent it, but I'm leaving the reply for the second OT part.

[yzmtf2008]

This is a discussion that’s been had before and a problem that’s been solved before: https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-p...

As a gist, here’s a quote:

    When you install software on Linux, no matter what package manager you use, you are giving that software permission to act as you.

[saghm]

Most (if not all) legit package managers at least use checksums to reduce the chance of malicious packages getting installed; I'm not sure about others, but I believe pacman (the Arch Linux package manager) also refuses to install packages from unless you've imported the GPG key of the distributor. This isn't to say that package managers are completely safe (nothing is), but there are fairly significant differences between using a Linux package manager and piping a script from the internet to be executed.

[ue_]

The owner of the website could sign responses, and you could verify them, in addition to TLS via HTTPS. I think that can make it at least as secure as package management systems.

[saghm]

Yep, I agree. Providing checksums for scripts to curl isn't the the norm from what I've seen, though, which I think fits in with what GP (of my original comment) was saying. Also, I'm not super convinced that most users would bother verifying the checksum; from what I've seen, most people downloading Linux distro images don't even bother verifying the checksums that are provided.

[JeremyBanks]

I'd be great if something like hashpipe could become standard on Linux for this purpose.

See https://news.ycombinator.com/item?id=9318286

[saghm]

This is really cool! I hadn't heard of it before

[vacri]

That article is mixing up "is it safe to do that from us?" and "is it safe to do that?". Do it from another vendor that isn't using https and all their reassurances about the method evaporate. Simply put: the method is bad; it's only when you use a bunch of mitigating actions that it becomes 'not bad'.

[olalonde]

Kind of unrelated but I wish I could do `curl http://example.com/evil-script.sh | vim | bash` and have vim stop the pipe if I :q! or proceed to forward stdin to stdout if I :wq.

[spb]

That's what `vipe` is for: https://joeyh.name/code/moreutils/

[philtar]

I choose convenience over security. And so do you. You didn't read every line of every software you use,because it's not convenient.