[tbrownaw]

I think it's contrary to currently-recommended ops practice (clearly imperative rather than nominally declarative), but how is it bad security practice? If you don't trust the origin, it's not like saving to a temporary file first is going to help you. Unless you're suggesting that everyone should always do their own code review and then compile from source...

[junon]

> but how is it bad security practice?

Companies / organizations / team members go rogue sometimes. We've seen this even recently with e.g. kicad, freenode, the timezone database, etc.

Just because you trust the source doesn't mean you should trust all of the scripts they tell you to run. Even if it's a good-faith script, you have no idea if it's making assumptions about your system that are not true and opening you up to sidechannel attacks and the like.

Curl to a file first, inspect the script, consider it within the context of your own system, then run it if you deem it's safe.

[k8sToGo]

> Curl to a file first, inspect the script, consider it within the context of your own system, then run it if you deem it's safe.

But you can still do that if you want? It is not like this is a hidden executable or something.

[ZeroMinx]

Sure, but as OP put it, "Normalize better security practices!".

[notabee]

Here's some discussion about that. But to put it simply, security is done in layers. Checking something simple like a script before running it is relatively easy and can catch low-effort malicious attempts. Sure, it won't protect against an advanced persistent threat doing a supply chain attack, but you're probably much more likely to be hit with low effort attacks that could be avoided by just not being careless.

https://news.ycombinator.com/item?id=17636032

[justinclift]

> If you don't trust the origin, it's not like saving to a temporary file first is going to help you.

Huh? The whole point is to review the the code before you run it.

If it seems like many people _don't_, well frankly, that's their problem.

Encouraging bad practise is not the right direction.

[asguy]

At minimum you could download software that is at least signed by someone you trust. Rather than streaming arbitrary commands from a source that the extent of the authentication is that their CDN's TLS certs matches their domain.

[jl6]

Saving to a file first means you can at least run it in a test environment first, then be confident you’re running the same thing when moving into production.