[fishtoaster]

I feel like this discussion comes up every time someone mentions homebrew. The conclusion I've come to is that `curl -s foo.com/bar | sh` is less secure than downloading and running an install script locally iff you intend to review the install script yourself.

If you're just downloading homebrew and running an install script by hand without reading it (as, honestly, I usually do), there's no difference.

[kbutler]

It's also at least as safe as downloading and running a binary executable.

[falcolas]

I see this assertion all the time, and I disagree.

For one thing, the script is coming over http, so it's trivial to intercept and replace the content, perhaps even silently so you get the original content plus a few extra box owning goodies. Two, as a .sh script, its self-selecting in terms of what system the binary executable has to be written for. Also, it's typically not as easy to escalate privileges in an executable as it is in an arbitrary shells script.

[kbutler]

curl -s foo.com/bar | sh

vs

curl -o install foo.com/bar && chmod a+x install && ./install

The script is an open source installer, the binary is hidden/closed. You and others at least have the option to inspect it.

The binary would also be coming over http (https is clearly preferred for binaries or scripts). A binary can always embed a script and do a 'system' call to execute any script-available privilege escalation.

I'm not sure what you mean by "as a .sh script, its self-selecting in terms of what system the binary executable has to be written for". I think you mean that a single .sh script can target multiple platforms. That doesn't mean a binary is any safer for you to download and execute on your system.