Hacker News new | ask | show | jobs
by guy98238710 1055 days ago
> curl -L "https://replicate.fyi/install-llama-cpp" | bash

Seriously? Pipe script from someone's website directly to bash?
6 comments
madars 1055 days ago
That's the recommended way to get Rust nightly too: https://rustup.rs/ But don't look there, there is memory safety somewhere!
link
creata 1054 days ago
In rustup's defense, if you're already trusting them enough to run their executables, this isn't that much worse, afaik.
link
raccolta 1055 days ago
oh, this again.
link
cjbprime 1054 days ago
Either you trust the TLS session to their website to deliver you software you're going to run, or you don't.
link
dharmab 1054 days ago
You can clone llama.cpp on GitHub and the models from HuggingFace. No need to trust this unrelated website.
link
ehnto 1054 days ago
But is you do trust it, very convenient.
link
gattilorenz 1055 days ago
Yes. If you are worried, you can redirect it to file and then sh it. It doesn’t get much easier to inspect than that…
link
dopidopHN 1054 days ago
Pretty common. You can inspect the script before piping it.
link
Evidlo 1054 days ago
Bad actors can detect if its being piped to bash and send different data. Better to just download the script first if you're concerned.
link
dopidopHN 1053 days ago
That what I meant but I had no idea about piping detection at the same time so thanks for pointing that out, nifty.
link
selcuka 1054 days ago
How can you detect where someone pipes the output of curl output to?
link
pests 1054 days ago
Basically, bash executes the script line by line as it is downloading - pausing the download while that line executes. By sending a sleep() command early in the script you can detect the delay in the next line beind downloaded.

Its a lot more complicated due to TCP buffers and trying to hide output from the user.

Original article below. It is giving me a certificate error though but its available through archives or a cache.

https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...

link
asdfgeoff 1053 days ago
Neat article.

Cached version → http://archive.today/O46rw

link
column 1054 days ago
"This Connection is Invalid. SSL certificate expired."
link
pests 1054 days ago
Yeah I mentioned that. You have to go through a cache or an archive.
link
selcuka 1054 days ago
Amazing, thanks.
link
mike_ivanov 1054 days ago
who doesn't love surprises
link
alexgartrell 1054 days ago
IMO this is equivalently scary to installing an arbitrary rpm.
link