[Scipio_Afri]

Not using https is bad.

curl -sf http://goblin.run/github.com/remorses/docker-phobia | sh

Also why just include that shell script in the repo and have people curl that?

[remorses]

Goblin is a service that builds a go binary for your platform on the fly and downloads it in PATH. This is a much faster way than setting up Github Actions to build an executable for every possible platform on every release. You can also use go install if you know what you are doing.

[leetrout]

> This is a much faster way than setting up Github Actions to build an executable for every possible platform on every release

It's not even that hard. Just use GoReleaser.

https://goreleaser.com/

[xmorse]

And then later add a script that downloads the binary from Github releases. Doesn't improve the situation with curl script haters

[KronisLV]

I feel like the assumption is that GitHub would be more proactive about stopping malware being distributed from their platform.

[Wingy]

curl should probably scream when it detects piping unencrypted wan (not local ips) connections to shell, sort of like what openssh does when a host’s fingerprint changes

[mr_mitm]

How could curl detect where it's piped to?

[take-five]

Something like (in Python)

os.isatty(sys.stdout.fileno())

[Zambyte]

That doesn't say where it's piped though. It could be redirected to a file, or piped to something harmless like jq.

[timando]

Iterate through /proc/<pid>/fd and check for the pipe id in the symlink target.

[adamomada]

The shell would have to give the warning

[jijijijij]

Lol. This is an hilariously shady instruction. Is this a docker inside joke or something?