Hacker News new | ask | show | jobs
by da_chicken 238 days ago
I'd not heard of clickhouse before. It does seem interesting, but I just can't get behind a project that says:

> The easiest way to download the latest version is with the following command:

> curl https://clickhouse.com/ | sh

Like, sure, there is some risk downloading a binary or running an arbitrary installer. But this is just nuts.
4 comments
trollbridge 238 days ago
It's Apache licenced and you could also install it via your favourite package installer. Given all the crazy supply chain attacks going on, I don't really feel this is any worse than downloading a binary from a distro archive, and specifically this pipe | sh doesn't expect you to run it as root (which a lot of other cut-and-paste installers do).
link
xorcist 238 days ago
> I don't really feel this is any worse than downloading a binary from a distro archive

Please don't say that. It denigrates the work of all the packagers that actually keep our supply chains clean. At least in the major distributions such as Red Hat/Fedora and Debian/Ubuntu.

The distro model is far from perfect and there are still plenty of ways to insert malware into the process, but it certainly is far better than running binaries directly from a web page. You have no idea who have access to that page and its mirrors and what their motives are. The binary isn't even signed, let alone reviewed by anyone!

link
trollbridge 237 days ago
I’m not sure how much better this is the man blindly “npm i thing”, where I have no real assurance I’m not downloading a giant piece of malware either.
link
da_chicken 237 days ago
That's exactly why it's insane. People remember the pad-left fiasco.

Previously discussed here: https://news.ycombinator.com/item?id=11348798

Article now resides here: https://www.davidhaney.io/npm-left-pad-have-we-forgotten-how...

link
monerozcash 238 days ago
>Like, sure, there is some risk downloading a binary or running an arbitrary installer. But this is just nuts.

It's literally exactly the same thing

link
gigatexal 238 days ago
Chdb is just a binary. You can just grab that. Also pipe to sh is used by a ton of projects
link
bflesch 238 days ago
it's used by many projects but still regarded as an anti-pattern and security issue
link
monerozcash 236 days ago
it's really exactly the same as wget file;./file and not a real anti-pattern in any way
link
Etheryte 238 days ago
A ton of people drink and drive too, doesn't make it any more fine.
link
gigatexal 238 days ago
Y’all are so pure. Just don’t install it that way. Sheesh.
link
Aefiam 238 days ago
how is this any less secure than running a binary/installer? the binary could run this inside?
link