[tlrobinson]

Honest question: do you audit every line of code you ever download and execute?

Edit: Ironically Docker itself has the potential to help solve the problem of running untrusted open source code. I think every open source project should include either a Dockerfile or Vagrantfile to help users get up and running quickly, and safely run untrusted projects.

[WestCoastJustin]

On my linux machines, generally, I'll only install software from trusted sources, say rpm repos or ubuntu sources. In this case, yes, I would review the source of this file before running it.

For example, I would notice that it requires apt-get

  echo "Ensuring basic dependencies are installed..."
  apt-get -qq update
  apt-get -qq install lxc wget bsdtar

Then it downloads some binary into /usr/local/bin, at this point, I'd probably configure a VM to review this further.

[tlrobinson]

But would you review the source of Docker too?

[WestCoastJustin]

I think I get where you're going with this, in that, the burden to run this and review the source is too high, that it almost seems like a waste of time. If that is your point, then I agree with you.

I don't know much about docker, but doing a "curl | sh" peeks my interest, then downloading additional binaries into /usr/local/bin, I'd want to take a closer look. Obviously, this is a case by case review, till it sits well with me. If I was going to run this in production, I'd want to have a really good idea of what this was doing and what to expect, so I'd probably take a closer look at the source if it was not clear from the documentation.

[JasonFruit]

Completely non-judgmentally, it's piques my interest, so you can spell it right next time. (I have the opposite problem: I spell things right and say them wrong.)

[mgkimsal]

I met someone who pronounced "queue" as "kway", as in "I need to go clear my mail kway".

That is all.

[zobzu]

Do you reverse engineer your CPU's schematics?

This can go on pretty far - trust is always an eventually unsolvable issue.

There is a certain level of trust that is easy to achieve and easy to get. Trusting dotcloud is easier than trusting everyone on the internet is pink bunny. Happens to be that HTTPS and signing aren't exactly hard either ;-)

[jlgreco]

Why don't we just add "click to execute" to browsers while we are at it... /s

[tlrobinson]

Because people who use command lines / open source software generally have better judgement about this sort of thing than the average user?

You either have to trust Docker (a fairly well known project built by reputable people) isn't going to root your machine, or download the source yourself and audit it.

This is no worse than suggesting you "git clone whatever; cd whatever; make" (aside from the lack of SSL)

[jlgreco]

> You either have to trust Docker

...and everybody else on my network, with that method. Doing that I don't even get the chance to think "Hey wait a second, why was this only 50 bytes of shell script...".

The reason that you see outrage for this "method" is because it is born of laziness and far too reminiscent of more disturbing times in computer security.

[tlrobinson]

The original poster didn't say his issue was with the lack of HTTPS so I assumed he doesn't approve of this technique in general, but yes, I agree HTTPS should be used.

[ics]

> Because people who use command lines / open source software generally have better judgement about this sort of thing

Why do we need an instruction on downloading the source to begin with? It really just promotes bad habits with those who know no better, i.e. new/inexperienced developers. The problem is when people see instructions like that on 20% of the guides they read in earnest, trusting that everything is OK if enough people say it. One hopes they stumble upon a discussion like this so that they can consider the consequences but that just isn't going to happen to everyone. True, one should exercise equal caution while cloning, gem-ing[1], etc. It would be great if authors would just link to the source and paste the relevant lines from the README if necessary.

[1] http://andre.arko.net/2013/03/29/rubygems-openssl-and-you/

[jol]

I don't, but for install script one can look at least from where the stuff will come. if the download link was using ssl...

[tlrobinson]

I agree, they should use SSL (and don't use a URL shortener, which they don't, but I've seen before).

Ideally it would download a file from Github too, that way you can be sure it's coming straight from the publicly visible open source repo, and you can audit if you want.

But I think the general outrage over this technique is overblown.