

Ask HN: Alternative to curl https://install.foo.com | /bin/sh? - malandrew

It&#x27;s well known that curling a script from the internet and executing it directly like so,<p><pre><code>    curl https:&#x2F;&#x2F;install.foo.com | &#x2F;bin&#x2F;sh
</code></pre>
seems to be frowned upon [0][1] for security reasons[2][3]. However, it&#x27;s an incredibly effective way to help bootstrap a development environment. What are the best approaches to achieving the same goal without going through lots of the trouble with creating packages for every target system out there?<p>[0] https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=4701745<p>[1] https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6008196<p>[2] http:&#x2F;&#x2F;blog.classicalcode.com&#x2F;2012&#x2F;11&#x2F;curl-pipe-sh-exploit-proof-of-concept&#x2F;<p>[3] https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=3315461<p>real examples in the wild:<p><pre><code>    ruby -e &quot;$(curl -fsSL https:&#x2F;&#x2F;raw.github.com&#x2F;mxcl&#x2F;homebrew&#x2F;go)&quot;

    curl https:&#x2F;&#x2F;install.meteor.com | &#x2F;bin&#x2F;sh

    bash &lt; &lt;(curl -s https:&#x2F;&#x2F;rvm.io&#x2F;install&#x2F;rvm)

    curl get.pow.cx | sh

    curl -sS https:&#x2F;&#x2F;getcomposer.org&#x2F;installer | php</code></pre>
======
kjs3
If you're bootstrapping an environment you created, checksum the download and
verify the checksum before feeding it to the "unpacker".

Another thought would be to mutually authenticate the SSL session. The curl
man page has good doco as to how to do this. It does involve mucking around
with PKCS12 key material, but it's not bad.

Best...do both.

