Hacker News new | ask | show | jobs
by Matl 1013 days ago
> On Unix/Linux land the prevalence of pipe curl to bash type installers is not much different.

This is a problem but only if you install software on Linux by manually going to the project page and copy-pasting whatever curl they have there, I think the difference is that mostly you're encouraged to go the package manager route, whereas on windows downloading .exes directly (ala the curl example) is the norm.
2 comments
sanitycheck 1013 days ago
It seems to be increasingly the case that package managers just don't have some software - or have a version that's years out of date. Perhaps the number of different ones available has become self-defeating.

Directly sudoing a curl-ed script is like running a binary on Windows with admin permissions and with Defender turned off, which makes it somewhat more scary to me.

On Windows I use Chocolatey when I can, and if I can't (or it looks dodgy anyway) I'll either just not install it or try it in a sandbox. Things that aren't choco-able are generally commercial software obtained from the vendor's download page, we theoretically trust those things somewhat. YMMV.

link
Matl 1013 days ago
> Directly sudoing a curl-ed script is like running a binary on Windows with admin permissions and with Defender turned off,

Most people would just say yes to any prompt they get, those wise enough not to aren't running random curl scripts either.

As for Defender being any kind of protection, I have my doubts.

> it seems to be increasingly the case that package managers just don't have some software - or have a version that's years out of date.

This is entirely distro dependant, some are very up to date and have most things you'd want, especially if you include the likes of AUR in that. But then there's usually a Flatpak or an AppImage that you can use in the odd case that they don't.

link
jjgreen 1013 days ago
Actually no, the problem with curl | bash is that it can be detected on the server, so if the server is compromised, it can serve you malware and you will never know about it. It is safe(r) to curl > file, inspect the file, then execute it under bash.
link
yrro 1013 days ago
The result of inspecting such a file is usually a series of disgusted shudders, "this will do WHAT do my machine"?
link
jjgreen 1013 days ago
Sometimes a smile at the clarity and simplicity of the authors shell code, sometimes.
link
yrro 1013 days ago
A rare delight but it does happen
link