[steventhedev]

As an aside, is this the new pipe curl to sudo bash?

    docker run --rm --privileged docker/binfmt:66f9012c56a8316f9244ffd7622d7c21c1f6f28d

[INTPenis]

This reminds me of how some vagrant images run scripts. Maybe all of them. I started using vagrant a month ago and recently noticed that the official debian/buster64 image wants to run a script with sudo.

Yet the generic/debian10 and centos/7 images I otherwise use require no such privilege escalation to function.

It seems unnecessary and dangerous, I refuse to use such images if possible. But I did also setup a sudoers config to allow only the NFS commands that they need, just in case.

Point being that all these new tools we're using involve a lot of trust. Many of them can be treated just like curl piping to bash.

[jraph]

Except you cannot even look at the contents of the file being piped beforehand and hope that the same file is downloaded when you actually pipe it. It's more like running setup.exe using the administrator account.

[viraptor]

Sure you can - first pull, then there's many tools to help you. For example https://github.com/larsks/undocker/

[ownagefool]

Indeed.

You can also pull via the sha rather than the tag, which gives you significant extra assurance.

docker pull docker/binfmt@sha256:5a9ad88945dff7dc1af2ef7c351fe3dd9f7c874eb2c912c202ced088d21c178a

Once you've confirmed you're happy with the script, I don't believe there is any issue with automating this.

docker run --rm --privileged docker/binfmt:@sha256:5a9ad88945dff7dc1af2ef7c351fe3dd9f7c874eb2c912c202ced088d21c178a

In theory, the underlying container cannot be changed, which is what most of the issues with piping curl into bash is.

[jraph]

Isn't that akin to extracting setup.exe? You still don't get to inspect the binaries bundled in the image.