Hacker News new | ask | show | jobs
by lightdot 426 days ago
From the Github page: "curl -sL https://plandex.ai/install.sh | bash"

Enticing users to blindly run remote 3rd party code on their machines is IMHO not a proper thing to do.

This approach creates a dangerous mindset when it comes to security and good practices in general.
2 comments
danenania 426 days ago
You can read the script before installing. It's pretty straightforward—just grabs the appropriate binary from GitHub and puts it in /usr/local/bin.

Installing via package managers or installers also runs remote 3rd party code on your machine, so I don't see much difference from a security perspective. You should make sure you trust the source before installing anything.

link
lightdot 426 days ago
Of course one can and should read the script before running it, but the instructions promote just the opposite.

Even if we skip a step ahead and consider that this script then installs a binary blob... the situation doesn't get any better, does it?

If you find any of this as something normal and acceptable, I can only strongly disagree. Such bad practices should be discouraged.

On the other hand, using a distro's package manager and a set of community approved packages is a far better choice when installing software, security vise. I really don't see how you could compare the two without plainly seeing the difference, from a security perspective.

As an alternative, if the software is not available through a distro's package manager, one should inspect and compile the code. This project provides the instructions to do so, they are just not promoted as a first choice.

I can't help coming to a conclusion, that you've largely made my point about bad practices and having a wrong mindset when it comes to software security.

link
danenania 426 days ago
Well, I simply disagree with you that it's a "bad practice", and I have a fair amount of security experience. But you're entitled to your opinion.

You can also build from source if you prefer: https://docs.plandex.ai/install/#build-from-source

link
stronglikedan 426 days ago
The instructions presume that one would follow best practices when installing something where the source is available, and doesn't need to explicitly include all the steps to do so in this context. You are correct in that it would be bad practice to blindly install something, but knowing what you are installing is the first step to installing when you are following best practices. That onus is on the person doing the installing, not the installation instructions.
link
bottled_poe 426 days ago
How is this any different to downloading and running a binary?
link