
Curl | sh - enedil
https://curlpipesh.tumblr.com
======
echeese
How's this any more dangerous than "download this .exe" or "add this apt
repository" especially over https?

~~~
yoo1I
The canonical example is this:

Imagine an installer script that runs a buildscript and then cleans up after
itself. So somewhere in the depth of it there is the command _rm
/home/gonzales/.build/foo_, but the network connection cut's out just after _/
home/gonzales_ so the last thing that the interpreter sees is _rm
/home/gonzales_ and well ... there you go.

Stranger things have happened.

~~~
ash
It's a valid concern. The solution is to wrap the whole script in a bash
function executed on the last line.

~~~
lucb1e
Which, it should be noted, is also typical. I'm sure you can find many
examples that don't if you go looking for it, but most I've seen do this,
especially in recent years.

------
ash
"Is curl|bash insecure?"

[https://sandstorm.io/news/2015-09-24-is-curl-bash-
insecure-p...](https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-
verified-install)

~~~
dunkelheit
Thanks for posting a balanced perspective. I find passive-agressive finger-
pointing at the OP blog really distasteful. It implies (but never says
directly) 'look at those lamers lol. and if you need some explanation on why
this is bad you are a lamer too'.

------
Matt3o12_
For most users, it doesn't make a difference if they install a shell script by
first downloading it, and then executing it. While checking for PGP sings, etc
are nice, only a very small portion of users will actually do that or check
the source of the script. I believe those users are smart enough to first
download it manually and then check it. For the rest of the users, this is
really convenient, and fast. No need to storage a junk script and copy/paste
two commands. Sure a simple "apt-get|yum install PACKAGE" would have been
better but that adds more concerns: 1\. If you let the package managers of
public repose (Ubuntu, fedora) package your script, there are going to be a
lot of outdated versions. 2\. If you want to host the repo yourself, you now
have to package your software at least twice for fedora and Debian. The user
also needs to add another repo, which makes `update` a lot slower (especially
when having a lot pin because it needs to connect to n many urls).

------
fibo
IMO curl |sh are really cool! I also wrote one that installs my home
environment

[https://github.com/fibo/home/blob/master/README.md#installat...](https://github.com/fibo/home/blob/master/README.md#installation)

------
SkyMarshal
Discussed multiple times at HN:

[https://news.ycombinator.com/from?site=curlpipesh.tumblr.com](https://news.ycombinator.com/from?site=curlpipesh.tumblr.com)

