|
|
|
|
|
|
by tzs
755 days ago
|
|
|
> Getting it out of a repository wouldn't make any more vetting appear as if by magic. But it makes it way easier to figure out what happened if you do get attacked. With "curl | sh" if a compromised site only sends the attack code randomly and I get unlucky I won't have a copy of the attack code afterwards. If I go to the site to grab a copy I'll probably get a copy without the attack code. With "curl > /tmp/foo.$$; sh < /tmp/foo.$$" if I am unlucky and get the attack code I can at least look at /tmp/foo.$$ to see what happened, and download the code again and see if it is the same. If you insist on piping, at least do "curl | tee /tmp/foo.$$ | sh". |
|
|