

Please stop piping curl(1) to sh(1) - chrissnell
http://output.chrissnell.com/post/69023793377/stop-piping-curl-1-to-sh-1

======
migrantgeek
I agree that it's insecure but so is ./configure && make && make install

Or what about places that give you a Yum repo to install

cd /etc/yum.repos.d/

wget
[http://download.opensuse.org/repositories/isv:ownCloud:devel...](http://download.opensuse.org/repositories/isv:ownCloud:devel/RedHat_RHEL-6/isv:ownCloud:devel.repo)

yum install owncloud-client

It's all the same to me. A user is just saying "I trust you enough to run this
thing or this system isn't that important to me so the risk is acceptable".

I'd argue the Yum way is even more dangerous because if bad stuff isn't sent
down now, an update could cause bad stuff to be installed in a month during a
yum update. That's much harder to catch.

~~~
0x0
Well, a yum repository would have to be maliciously modified to cause bad
things to happen. Piping curl could end up with fatal consequences even by
accident, if the shell script is cut off at the worst possible moment by
accidental connection loss...

~~~
migrantgeek
What if the repo was malicious from the start just waiting for you to install
the first safe version only to give you the trojan later?

The shell script prematurely terminating isn't really a security concern and
could be fixed by downloading and running the script separately.

I guess my argument is that if you don't trust the source, don't install the
application without looking through the code or running through some analysis
software.

I would say that sites that tell users to install software in this fashion
should warn them about the dangers so people can make informed decisions.

------
emmelaich
Someone needs to make a utility which does a gpg check of the input before
passing it on to shell:

    
    
        curl ... | gpg-check-pipe | sh
    

Hey, that someone could be me :-0

------
vezzy-fnord
Previous discussion on the same topic:
[https://news.ycombinator.com/item?id=6650987](https://news.ycombinator.com/item?id=6650987)

A fun and educational game that demonstrates why you shouldn't do this:
[http://russianroulette.sh/](http://russianroulette.sh/)

