|
|
|
|
|
|
by cogman10
702 days ago
|
|
|
Probably the biggest problem with the `curl | sh` approach is it bypasses package maintainers. I agree it's really no different than if you compiled malicious code yourself (or pulled in a 3rd party bin repository). However, one of the functions of a package maintainer is finding/being notified of security issues. I'm thinking of the recent xz attack. Imagine how bad that would have been if xz was commonly installed via `curl | sh`. All this is to say `curl | sh` is probably fine if the org is reputable, however, you should be having second thoughts if this is a repo ran with a bus factor of 1. |
|
|