Hacker News new | ask | show | jobs
by denton-scratch 1751 days ago
I'm not OK with the modern practice of recommending end-users download and execute a script from the big, bad web without first reading it.

I guess I'm just an old fuddy-duddy, and if you feel it's OK, knock yourself out. But I really think software developers should know better than to rely on this practice simply because it makes their install process into a one-liner. I'm sure they could do better than recommending users execute random scripts from the intarwebs, sight-unseen.
1 comments
knadh 1751 days ago
What is the difference between downloading and running a bash script vs. downloading and running a binary or a Docker image?

Surely, when downloading a piece of software from a (quasi?) trusted source, no developer is going to read all the lines of source code before running it. And if that's the case, how is downloading and running an .sh from the same source any different?

link
e12e 1751 days ago
It's probably a bad idea to willy-nilly "docker run" something too - but in this case it's extra silly - the demo requires docker and docker-compose - so the downloading/instruction might as well have been just:

   wget https://raw.githubusercontent.com/knadh/listmonk/master/docker-compose.yml
    docker-compose up demo-db demo-app
And a note that demo app runs on port 9000. Even better would be a demo docker-compose.yml, so that "docker-compose up" was enough.

Now, should you run some random docker image(s)? Maybe not. But it's easier to see what's going on - maybe you spin up a vm and run docker there, isolated?

link
sofixa 1750 days ago
> What is the difference between downloading and running a bash script vs. downloading and running a binary or a Docker image

Docker images are slightly isolated. By default running a random one doesn't have access to your local filesystem or anything listening on your machine, unless you explicitly ask for it ( which a random docker-compose.yaml or bash script around a docker-compose.yaml and up can).

link
denton-scratch 1751 days ago
TBH, I've never downloaded a Docker image. I rely on Debian; I trust packages from the Debian repository (hell, I'm running their OS, so I already trust them).

Software from other sources: not so much. Maybe run it in a VM.

Look, I've used such commands myself - once upon a time that was the recommended way to install LetsEncrypt, I think. But I look at the script first.

link