Hacker News new | ask | show | jobs
by dantheman 4066 days ago
This is a bad practice:

  curl * | bash
and should be discouraged. It's easy but it's like saying, hey I'm logged in as root all the time - it's easier.
6 comments
olalonde 4066 days ago
In this case, * is "https://sdk.cloud.google.com" and I don't see how it's worse than trusting a package from PyPi. If anything, the curl command offers some guarantee that you are running code endorsed by Google.
link
lukeschlather 4066 days ago
If the HTTP connection is interrupted during download (highly likely if you're doing this routinely) you'll end up with something in a broken state. Locally running a remote stream as it arrives as code is just a bad idea, unless you're talking about something like a webpage where a partial is potentially preferable to nothing at all.
link
cristicbz 4066 days ago
Code which is meant to be piped into bash is generally written as:

    #!env bash
    f () {
      ...code
      ...code
      ...code
    }
    f
Hence a partial stream will do nothing (syntax error, missing brace to be precise).
link
plorkyeran 4066 days ago
This is a completely trivial problem to solve (wrap the logic in a function), which the script in question does solve.
link
brlewis 4066 days ago
It's no different from steps 2 and 3. At each step you're trusting that code you just downloaded from the web is doing what you want it to do.
link
lukeschlather 4066 days ago
You're also trusting that the Internet is going to stay up for the duration of the install script, which is an unreliable assumption. Imagine at some point the script does:

rm -rf ~/.config/google

and the connection gives out at

rm -rf ~/

Suddenly your script didn't install, and you've blown away your home directory. HTTP(S) is designed for reading documents, where it's OK if you can't read the document in its entirety.

link
delroth 4066 days ago
This is easily solved by putting everything in a bash function and calling the function as the last thing in the script. If you look at the Cloud SDK setup script, that is exactly what it does.
link
lukeschlather 4066 days ago
I agree it's a trivial problem to solve, I just think the right way is to download the code and store it separately, so that it's easy to add checksum/signature validation later.
link
icebraining 4066 days ago
And only it really does anyway is

  wget https://dl.google.com/dl/cloudsdk/release/install_google_cloud_sdk.bash
  chmod 775 install_google_cloud_sdk.bash
  ./install_google_cloud_sdk.bash
link
crdoconnor 4066 days ago
Only if you don't trust the source (or it's http).

Otherwise you might as well give up on downloading any software from the internet. Ever.

link
Blackthorn 4066 days ago
Have you ever run "./configure" on some open source code you downloaded? That's no more safe. In this case, curl | bash is probably more safe because at least it came over HTTPS.
link
discardorama 4066 days ago
> Have you ever run "./configure" on some open source code you downloaded? That's no more safe.

That is if you don't do a

    view ./configure
first and go through it. You do take a look at the configure scripts, don't you?
link
Blackthorn 4066 days ago
What's less readable, a ToS that you have to accept or a GNU autotools configure script?

Example: expat's autoconf script is over twenty two thousand lines long.

link
cos 4066 days ago
You could just as easily do 'curl someurl | less' before you run it, too.
link
erlichmen 4066 days ago
You don't need root to install gcloud
link
icebraining 4066 days ago
I think that was just an analogy.
link