Hacker News new | ask | show | jobs
by e12e 1810 days ago
> The safety in your steps is reading the script, not in avoiding curl | bash

Well, yes. The safety is in doing something between "acquire potentially malicious payload" and "running payload". I don't see how "safety [is] not in avoiding curl | bash" when, avoiding the direct pipe to bash is exactly what I suggest.

If you look at the url, then curl and pipe that url, you have no idea if bash sees what you just reviewed.
1 comments
maccard 1810 days ago
But you have exactly the same problem with downloading a binary, or running pip install. You have no idea what that code does, so curl | bash doesnt hurt any more than any other normal methods of installation.
link
e12e 1810 days ago
It's a little easier to read a 10 line bash script than a 35 mb binary installer?
link
maccard 1809 days ago
Do you read the source of every setup.py you run before running pip install? Also, if you are untrusting of the source enough to verify their install script is safe, why would you install their template to run on your machine without verifying all of that too? Finally, 10 line bash script might (as tbis example does) just call out to another curl | bash, or to a pip install/npm install.
link
e12e 1809 days ago
> Do you read the source of every setup.py you run before running pip install?

I generally run make, setup.py, cargo build etc in the context of cloning a source repository. I certainly could do a better job of sanity-checking those things, but I do try. And I definitely try to avoid having sudo credentials cached when I do - to foil "sudo cp artifact /usr/sbin" and other awful things people do, because they found it convenient.

> Also, if you are untrusting of the source enough to verify their install script is safe, why would you install their template to run on your machine without verifying all of that too?

I generally trust people more to write "left pad" than install scripts. Many sysadmins are good programmers, few programmers are even remotely decent sysadmins in my experience.

> Finally, 10 line bash script might (as tbis example does) just call out to another curl | bash

In which case one has to chase down the rabbit, or give up.

Sometimes one will discover that the end game was downloading a gpg signed tar archive with the release artifacts - and one can go and do that.

> or to a pip install/npm install.

People do do awful stuff in makefiles and package install scripts, but for vanilla python/Javascript - the lazyness of programmers tend to work to our advantage - there be little extra madness/magic in there.

Sute, running pip install -r requirements.txt can do almost anything - but it's unlikely to run your package manager under sudo and mess up your system packages, or add something questionable to your package sources.

link