

Curl | shell Considered Harmful?  - ben0x539
http://blog.amateurtopologist.com/post/curl-shell

======
IbJacked
Is it a terrible idea? Yes. Do I do it anyway? Yes. Do I do it with non-
mainstream projects I've never heard of? Nope. Does that make it ok? No, of
course not, but that's the level of risk I'm willing to accept.

It's not really any different than downloading and installing/executing
something like Sublime Text or Alfred.

~~~
joshguthrie
Amen to that. Everybody boasts about open-source and security but in the end,
we just can't just check up every single line of code we get from the
internet. There is a line of security people are willing to give up: piping
RVM install to shell is okay. Downloading a binary from a shady site just to
get a youtube downloader, nope.

------
2bluesc
It is dangerous... but how often do people verify gpg signatures or less
secure yet, sha1 hashes of the download tarballs?

The curl piped into a shell is a bit tooo close to the edge for me.

------
augbot
Wow, this totally makes sense. Better safe than sorry!

