|
|
|
|
|
|
by maccard
1810 days ago
|
|
|
If you're afraid the host may be untrusted then you would be wrong to download any of their code at all. The safety is in reviewing the code there, not in avoiding curl | bash. Running pip install or npm install is just as dangerous. > They should offer a download with signature validation instead. Signed by Apple, Microsoft, etc if possible. If the host is compromised, the attacker will just get Microsoft to sign their malware instead; see [0]. If the host is compromised, and you run the code without reviwing it, you're hosed regardless. [0] https://arstechnica.com/gadgets/2021/06/microsoft-digitally-... |
|
|