
Homebrew package recommends curling directly to shell via insecure website - mrmondo
http://brew.sh
======
mrmondo
Also, homebrew maintainers if you're reading this, since you blocked people
from commenting on the issue here's something you might be interested in:
[https://www.idontplaydarts.com/2016/04/detecting-curl-
pipe-b...](https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-
server-side/)

------
stephenr
Honestly this is not surprising. The homebrew developers seem pretty much
unable to accept any possible criticism.

~~~
mrmondo
I bet they disagree with that statement. Jokes aside, interesting to hear.

------
rickycook
I don't understand how in 2016 the value of SSL still has to be debated...
Pretty poor TBH.

~~~
mrmondo
I absolutely agree, OK some of my comments could have been a little less
'defeated' sounding, but that's the way I feel when I have to explain this
over and over again.

------
mrmondo
I logged a bug[1] for this today after noticing that
[https://brew.sh](https://brew.sh) had broken SSL, The official response: "Do
not to use HTTPS" by the maintainers.

When I pointed out that directing people to curl directly from the internet
especially over insecure web pages (without even a warning) the maintainers
did not see the issue despite it being a widely used package manager often
requiring root access for package installation,

I closed my bug report and the maintainers locked the conversation from
further comments / input with a snarky reply.

Can I take it? Sure! Do I care that people are installing homebrew across
their machines everywhere via an insecure method - you bet I do!

I'm not here to let off steam, I'm here to give a reminder and a general
security PSA: Please don't blindly copy and paste commands from the internet
into your shells, especially when it's to install a package manager.

My questions to the maintainers:

"...

Regardless, as I said, this is a package manager, please consider security,
especially when you're suggesting that it's a good idea that users curl
straight to shell from the internet, if they don't use SSL anyone could MITM
that link of yours and people could be infected with malware etc...

@MikeMcQuaid @UniqMartin - your thoughts on users curling straight from an
unencrypted website to their shell?"

Maintainers response:

"MikeMcQuaid @sammcj Life tip: messages provided with a patronising tone will
generally not be taken on board."

"This conversation has been locked and limited to collaborators."

[1] But report:
[https://github.com/Homebrew/brew/issues/490](https://github.com/Homebrew/brew/issues/490)

Screenshots:

\- [http://i.imgur.com/ia26FsQ.jpg](http://i.imgur.com/ia26FsQ.jpg)

\-
[https://cloud.githubusercontent.com/assets/862951/16719904/7...](https://cloud.githubusercontent.com/assets/862951/16719904/7c437096-4773-11e6-8ffc-
eedc3d05c42f.jpg)

\-
[https://cloud.githubusercontent.com/assets/862951/16719905/7...](https://cloud.githubusercontent.com/assets/862951/16719905/7f4a58f4-4773-11e6-9717-102bce152554.jpg)

\- [http://i.imgur.com/KIJshXT.jpg](http://i.imgur.com/KIJshXT.jpg)

\- [http://i.imgur.com/lPgV0Hq.jpg](http://i.imgur.com/lPgV0Hq.jpg)

\- I bought a domain that sounds legitimate and could have told people to do
bad things, instead a linked to an article about why you shouldn't curl to
shell, it cost me $0.88: [http://homebrew.host](http://homebrew.host)

*Edit: Add screenshots, example

~~~
dozzie
Now me being mean: what did you expect from people who can't work with a
binary tree? Technical prowess?

