| HN Mirror

> If you trust the site/author enough to run their code on your computer at all

Piping curl, means you can't be sure it came from the author's site.

It means you can't be sure you're getting the same software you've been considering installing.

It means a broken connection is a broken install, with no cleanup and no idea what it has changed.

> Do you audit the binary installers you use as well?

Don't install random binaries either. The security implications of that should be fairly obvious.

Spivak 3083 days ago

> Piping curl, means you can't be sure it came from the author's site.

Up to the trustworthiness of the CA system yes you can. If the author's site is serving malicious downloads to the curl UA then you're probably hosed either way. It would be easier to just slip malicious code in the software itself.

> It means a broken connection is a broken install, with no cleanup and no idea what it has changed.

This is the real draw of package management. The argument surrounding curl|bash should really focus on this rather than hand-wavy security.

> Don't install random binaries either

Nobody who is running curl|bash isn't installing a 'random' binary but downloading an installer from a source they trust.

[0] https://cli-assets.heroku.com/install-ubuntu.sh

> Up to the trustworthiness of the CA system yes you can. If the author's site is serving malicious downloads to the curl UA then you're probably hosed either way. It would be easier to just slip malicious code in the software itself.

If they have HSTS, otherwise you might end up using plain ol' http by accident. Like over at surge.sh, but at least they use a package manager.

> Nobody who is running curl|bash isn't installing a 'random' binary but downloading an installer from a source they trust.

But you can't trust it, because most shell scripts out there are woefully inadequate. So you're one broken connection, one WiFi drop, from corrupting your system. At least a binary needs to be complete to run.

Example: Heroku's CLI [0]

If it breaks on the echo, you could end up overwriting your entire source list.

e.g. It breaks to:

echo "deb https://cli-assets.heroku.com/branches/stable/apt ./" > /etc/apt/sources.list

instead of the intended

echo "deb https://cli-assets.heroku.com/branches/stable/apt ./" > /etc/apt/sources.list.d/heroku.list

And it'll work too, because the entire thing runs as the root user.

> The argument surrounding curl|bash should really focus on this rather than hand-wavy security.

They're the same thing. A broken connection with curl | sh is a security problem. As is downgraded https, because of an accidentally misconfigured host. As is running without even the basic check of seeing if you get the complete file before executing it.

Everything about curl | sh is inherently untrustworthy.

> Everything about curl | sh is inherently untrustworthy

Nope. Only one item is of minor concern (which I've covered many times in this thread) and it has an easy and known solution.

The rest of your objections are not specific to curl-piped-to-sh and are irrelevant to this discussion.

The sky is not falling, so I'm not sure what your agenda really is.

You didn't answer the 'random ip' question.

> Piping curl, means you can't be sure it came from the author's site.

Assuming you take the same precautions you'd take with any other software download (like using https), there's no difference between curl-piped-to-sh and clicking on a link to a rpm, deb, exe, or anything else.

> It means a broken connection is a broken install

Not if the shell script is written correctly. And if you can't trust the source of your software to get that right, then you can't trust them to get the regular installers right either, so there's no difference here either.

> Don't install random binaries either

No one's advocating for random binaries, but you do have to install binaries from time to time, no? Or are you getting your CPU microcode updates in source form too?

I get it, it's a knee-jerk cargo-cult reaction to flame folks who don't see the huge issue with piping a https URL from the software's main web site to the shell, but if you actually think about it, it does not have the major flaws that you claim it does.

[0] https://cli-assets.heroku.com/install-ubuntu.sh

> You didn't answer the 'random ip' question.

Just because you have a URL, doesn't mean it is connecting to the expected IP. Not everyone uses https yet. Not everyone uses HSTS to protect against downgrading.

> Assuming you take the same precautions you'd take with any other software download (like using https), there's no difference between curl-piped-to-sh and clicking on a link to a rpm, deb, exe, or anything else.

And that assumption isn't a guarantee. Remember who these kinds of installs target: developers with little experience. You can't ensure they'll notice a missing 's'. You can't ensure a worn-out admin will either.

> Not if the shell script is written correctly. And if you can't trust the source of your software to get that right, then you can't trust them to get the regular installers right either, so there's no difference here either.

No. I can't. Have a glance over Heroku's Ubuntu script.[0] It's not fenced, if that echo breaks, it could case some chaos. In fact, none of the commands are even checked for success, except the su.

> No one's advocating for random binaries, but you do have to install binaries from time to time, no? Or are you getting your CPU microcode updates in source form too?

If you look one level up, it's specifically binary installers. And secondly, I use a package manager, which has some review of this kind of thing.

I wouldn't curl a microcode update. That's asking for trouble.

> Just because you have a URL, doesn't mean it is connecting to the expected IP.

Ignoring how weak of an argument that is, I don't see how that is any different of a risk between curl-pipe-to-sh and regular software downloads.

> Remember who these kinds of installs target: developers with little experience.

I think that's a little condescending. I image these kinds of installers target folks who want to get up and running quickly and conveniently, regardless of their experience. And I imagine, on average, folks pasting this into their shell have more than average experience already, since they (1) went out of their way to try this software and (2) know how to open a shell and copy commands into it.

> You can't ensure they'll notice a missing 's'. You can't ensure a worn-out admin will either.

You think it's more likely they will notice the missing 's' in the click-to-download-the-installer scenario than in the paste-a-command-into-the-shell scenario? I find that hard to believe.

> Have a glance over Heroku's Ubuntu script.[0] It's not fenced, if that echo breaks, it could case some chaos.

So file an issue. If their normal installer has bugs in it, things would break too. I don't see the difference. Buggy installers are buggy, which is just an argument against buggy installers, not against different install methods.

> I wouldn't curl a microcode update.

You missed the point. You can download it any way you like; unless you have its source, though, you can't audit it at all. So your claim that binary software is untrustable falls short in the practical world.

> So your claim that binary software is untrustable falls short in the practical world.

Where the hell do you think I made that claim?

> So file an issue.

Are you just trying to ignore everything I say? I responded to a claim that shell installers would be written correctly, with evidence that a fairly sizeable company doesn't get it right.

Your response to that is that it doesn't matter.

> You think it's more likely they will notice the missing 's' in the click-to-download-the-installer scenario than in the paste-a-command-into-the-shell scenario? I find that hard to believe.

A giant green bar is a little bit more than a single letter.

---

You really don't seem interested in a conversation about the shortcomings that exist. You seem interested only picking holes and saying that you are correct.

I have no interest in responding to that kind of conversation.

https://news.ycombinator.com/item?id=16144785

> Where the hell do you think I made that claim?

Right here:

You said:

"Don't install random binaries either. The security implications of that should be fairly obvious."

> a fairly sizeable company doesn't get it right.

Fairly sizable companies mess up a lot of things. That still isn't a good argument against piping to shell though, since it isn't exclusive to that method.

> A giant green bar is a little bit more than a single letter.

Ah but you don't get the green bar for the file you are downloading, you only get it for the page that linked to it. So that's not good enough either.

> You really don't seem interested in a conversation about the shortcomings that exist.

You aren't raising many valid ones; it isn't my fault that the holes are so easy to find.

If you ease up on the hostile language and come back with some arguments that are a bit stronger, maybe you won't feel like this conversation is so one-sided.

I am truly interested in some serious arguments against piping to shell, if there are any besides the one I raised, since all I hear are these bogus ones any time this topic comes up. I have no horse in the race, but cargo cult shunning of a popular install method isn't right. One ought to have real arguments which stand up to a little scrutiny.