[craftyguy]

Slightly off-topic, but from the pi-hole page:

> Install by running one command:

> curl -sSL https://install.pi-hole.net | bash

installing arbitrary software off the internet by piping curl output to bash is a terrible idea. At the very least, I would have expected them to sign this script... considering this software has unlimited access to your internal network, and the ability to influence ALL network traffic into/out of your internal network.

[iamatworknow]

Immediately below that line on the pi-hole site:

>Our code is completely open, but piping to bash can be dangerous. For a safer install, review the code and then run the installer locally.

[craftyguy]

And yet piping to bash is being advertised boldly as the 'one-liner install process'

In other news, eating rat poison might kill you, but there's a tiny warning printed on the back so no one will do ever do it.

[alkonaut]

What people do to install software 98% of the time is download a proprietary windows binary and executing it - occasionally also with elevated privileges.

Piping to bash is dangerous but it’s not more dangerous than software installation in general. I think this point is some times lost on e.g people who run software from vetted repositories like apt or often make their open source apps from source. Computer programs to most people means double clicking an exe.

[craftyguy]

> What people do to install software 98% of the time is download a proprietary windows binary and executing it

Not people who avoid Windows. Every respectable Linux distro has package signing by default these days. And none support a default install process of piping arbitrary scripts from the internet to a shell.

There's no reason the pi-hole folks, who made a thing that runs on Linux, to ignore the security implications and recommend something dangerous for a device with a lot of potential power.