[snuxoll]

I've seen this same argument time and time again and it's just silly. We preach that curl | sh is evil because of a potential lack of "transparency" but rarely does anyone denounce the evils of binary packages.

When you run third-party code on your system there is ALWAYS a risk of it doing nasty things, it doesn't matter if it's an easily readable bash script or a .deb you downloaded. The biggest argument I see about curl | sh that I can agree with is the issues that happens when your connection dies in the middle of the download. Just download the file, then run it.

[freshhawk]

Yeah, don't download and run binaries from random links on the internet either.

I don't think anyone is against recommendations of running "curl trustedsite.com/install | sh" except for the bad habits it teaches to people who don't know what curl and sh actually do, but wouldn't download and run a random exe.

Help forums are rife with suggestions to run "curl http://pastebin.com/raw.php?i=XXXX | sh" to solve technical problems. And not fringe forums either, but forums like the official Ubuntu forums.

I've literally never heard anyone "preach that curl | sh is evil" who wouldn't/isn't saying the exact same thing about binaries.

[djm_]

I wrote this article a year ago, and you hit the nail on the head - that is what I was getting at.

I didn't submit it here because it wasn't really meant for an advanced crowd, obviously most people would be aware of the dangers.

For example, take a look around at the pirating world. Many sites that help you install projects such as Couchpotato, Sickbeard, Sabnzbd etc rely on people curl-piping bash scripts. The people installing from those scripts likely do not know any better.

[nmjohn]

It's a little worse because with curl | sh - you inhernetly aren't able to check a md5 hash or a signature to verify the file is actually what you wanted.

Now while even with binaries people might now actually do that often enough - it at least is still an option.

[kaoD]

You need a secure channel like HTTPS to get that hash, in which case, does it really matter if you just run the script anyways?

[adestefan]

The signature can be a perfect match and still harm your system. Do you reverse engineer every binary that you run?

[jingo]

Best reply I've seen on HN in a long time.

Truth is I'd rather read someone else's shell script than someone else's C, python, ruby, javascript or other code. Not to say it still isn't painful reading; most scripts I see are nonsensically verbose. But it is a much less time-consuming read.

Unless, of course, it is written in a shell like Bash, i.e., one with too many extra features to keep track of. Like, say, exporting of functions, for example.

[dfc]

   We preach that curl | sh is  evil because of a potential lack of
   transparency but rarely does anyone denounce the evils of binary
   packages.

This is "Freedom 1"[1] and a bedrock principle of the FSF.[2] Applebaum recently gave a talk "Free Software for Freedom Surveilance and You" about the evils of binary packages.[3]

[1] https://www.gnu.org/philosophy/free-sw.html

[2] Free Software is Even More Important Now: https://www.gnu.org/philosophy/free-software-even-more-impor...

[3] https://media.libreplanet.org/u/zakkai/m/free-software-for-f...