Why would you be using a random ip? That incantation is usually used with a URL where you would have just downloaded and installed the software manually anyway.
There are various arguments against the curl-piped-to-shell idiom but "random ip" doesn't seem like a valid one.
Building a script that acts differently for a web browser, a normal download, and curl, is trivial, and I've seen it happen. Here's a proof-of-concept[0] someone else wrote.
Manually downloading is safer, at least you can review, curling straight into a shell is inherently unsafe.
The better option is still a package manager, but curling straight to a shell is very unsafe.
And why wouldn't you trust the source of the install script as much as any other installer?
Do you audit the binary installers you use as well?
I don't disagree about a minor difference between the methods, but I definitely disagree with piping to sh being "very unsafe". If you trust the site/author enough to run their code on your computer at all, the install method risk difference is but a tiny drop in the bucket.
> Piping curl, means you can't be sure it came from the author's site.
Up to the trustworthiness of the CA system yes you can. If the author's site is serving malicious downloads to the curl UA then you're probably hosed either way. It would be easier to just slip malicious code in the software itself.
> It means a broken connection is a broken install, with no cleanup and no idea what it has changed.
This is the real draw of package management. The argument surrounding curl|bash should really focus on this rather than hand-wavy security.
> Don't install random binaries either
Nobody who is running curl|bash isn't installing a 'random' binary but downloading an installer from a source they trust.
> Up to the trustworthiness of the CA system yes you can. If the author's site is serving malicious downloads to the curl UA then you're probably hosed either way. It would be easier to just slip malicious code in the software itself.
If they have HSTS, otherwise you might end up using plain ol' http by accident. Like over at surge.sh, but at least they use a package manager.
> Nobody who is running curl|bash isn't installing a 'random' binary but downloading an installer from a source they trust.
But you can't trust it, because most shell scripts out there are woefully inadequate. So you're one broken connection, one WiFi drop, from corrupting your system. At least a binary needs to be complete to run.
Example: Heroku's CLI [0]
If it breaks on the echo, you could end up overwriting your entire source list.
And it'll work too, because the entire thing runs as the root user.
> The argument surrounding curl|bash should really focus on this rather than hand-wavy security.
They're the same thing. A broken connection with curl | sh is a security problem. As is downgraded https, because of an accidentally misconfigured host. As is running without even the basic check of seeing if you get the complete file before executing it.
Everything about curl | sh is inherently untrustworthy.
> Piping curl, means you can't be sure it came from the author's site.
Assuming you take the same precautions you'd take with any other software download (like using https), there's no difference between curl-piped-to-sh and clicking on a link to a rpm, deb, exe, or anything else.
> It means a broken connection is a broken install
Not if the shell script is written correctly. And if you can't trust the source of your software to get that right, then you can't trust them to get the regular installers right either, so there's no difference here either.
> Don't install random binaries either
No one's advocating for random binaries, but you do have to install binaries from time to time, no? Or are you getting your CPU microcode updates in source form too?
I get it, it's a knee-jerk cargo-cult reaction to flame folks who don't see the huge issue with piping a https URL from the software's main web site to the shell, but if you actually think about it, it does not have the major flaws that you claim it does.
Just because you have a URL, doesn't mean it is connecting to the expected IP. Not everyone uses https yet. Not everyone uses HSTS to protect against downgrading.
> Assuming you take the same precautions you'd take with any other software download (like using https), there's no difference between curl-piped-to-sh and clicking on a link to a rpm, deb, exe, or anything else.
And that assumption isn't a guarantee. Remember who these kinds of installs target: developers with little experience. You can't ensure they'll notice a missing 's'. You can't ensure a worn-out admin will either.
> Not if the shell script is written correctly. And if you can't trust the source of your software to get that right, then you can't trust them to get the regular installers right either, so there's no difference here either.
No. I can't. Have a glance over Heroku's Ubuntu script.[0] It's not fenced, if that echo breaks, it could case some chaos. In fact, none of the commands are even checked for success, except the su.
> No one's advocating for random binaries, but you do have to install binaries from time to time, no? Or are you getting your CPU microcode updates in source form too?
If you look one level up, it's specifically binary installers. And secondly, I use a package manager, which has some review of this kind of thing.
I wouldn't curl a microcode update. That's asking for trouble.
There are various arguments against the curl-piped-to-shell idiom but "random ip" doesn't seem like a valid one.