Hacker News new | ask | show | jobs
by always2slow 837 days ago
Thanks but... no thanks, you've missed my point entirely. Why would I want to run peer to peer software built by developers whose security stance starts with curl-bash? Would you curl-bash a webserver? an email server? No? Probably even worse for your source code repository then right?
3 comments
LegibleCrimson 837 days ago
The problems with curl-bash are overblown. You are pretty much exactly as vulnerable running pip install, npm install, or cargo install.

Not that curl bash is great, but it's not uniquely horrible when the goal is to run some unvetted code on your machine.

If you care about security, you have to either vet the code or trust the source. When you install through your package manager, you're trusting the maintainers. When you install from curl bash, a random website, or any unvetted software source, you are electing to trust the developers or site directly.

link
saurik 836 days ago
The big difference with curl|bash is that the download itself gets to execute in the context of the computer as it is downloading, which is a super power that makes it much easier to hide behaviors as you can make it extremely difficult for people to ever be able to just download a dead copy of the script to analyze it for malware.
link
mixmastamyk 836 days ago
Packages on those systems do get blocked at times. So no, not as risky.
link
andrewaylett 837 days ago
The counterpoint would be: you're intending to run their code, if it's malicious then you're hosed anyway.

In bygone times, one might suffer from a truncation attack or otherwise end up running arbitrary code that's not what the vendor intended. Nowadays, there's really no security difference in curl|bash vs downloading a package and running it. Or, indeed, installing using `cargo install`.

That doesn't mean I'm happy running it, but my argument against it is less a security argument and more a predictability one: I want to be able to cleanly uninstall later, and package managers normally provide more consistent support for uninstalling than an arbitrary shell script.

link
LegibleCrimson 837 days ago
The cleanup and uninstall concern is one of the reasons I run as many things in containers as I can. It's so easy to blow away a container and its volumes compared to traditional software uninstallation.
link
mplewis 836 days ago
Yeah, it’s much better to npx something or install a package off the AUR. Definitely much safer.
link