[caymanjim]

This criticism is getting old. Piping curl output to bash is no less secure than installing a package via any other mechanism. Either you trust the source or you don't. I trust it more than I trust npm or pip because I'm typically getting it from the primary source instead of relying on a middleman that's got a poor track record.

[jjgreen]

It may be old, but it is valid, and it allows me to mock Rust and Nix advocates at the same time; who could resist?

[leaflets2]

If there's a SHA hash, served by a different server, an attacker would have to compromise both -- now just one?

[rgoulter]

"Someone else replaces the good program with a malicious program" is the attack vector people are worried about when talking about sha256.

But, since you're downloading & running code written by someone else, it seems weird to talk about that but ignore "what if this program I'm downloading does something malicious".

[d110af5ccf]

Presumably you trust the authors or you wouldn't be downloading it to begin with. The primary concern isn't "what if the authors are out to get me" it's "what if someone impersonates or compromises the authors".

[jjgreen]

Indeed, and this can be done semi-covertly given that one can detect a "curl install" server-side [1] and serve-up hostile code in just that case

[1] https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...

[leaflets2]

Thanks! Interesting (the cURL stuff)