| Hey, I use "curl | sh" myself. But I don't pretend there's no security risk in doing so. Like you advised, I exercise critical thinking, and then I take a risk. On someone else's production machine, or a container with sensitive data, that risk is too high. On a fun machine in isolation it's fine. The GPP asks what's the security difference between inspecting and not inspecting the downloaded command. > or that they have been compromised by a malicious actor without being detected at the same time you run the installer Installers are compromised quite often by malicious actors. Running an installer is just as dubious as running "curl | sh". However, replacing an installer with one that looks the same but is actually malicious, is a lot more work than replacing a blind script with one that looks the same but is actually malicious. And the risk of a malicious blind script going unnoticed is higher than a compromised installer when the SHA256 is shown to be checked alongside the latter's link, simply because the attacker would need to change two places instead of one. Yes I do check hashes of installers when that's possible and there isn't a package manager already doing so. It's a good idea anyway in case of a corrupted download file, which I do see from time to time. |