Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Curl | shell Considered Harmful? (amateurtopologist.com)
3 points by ben0x539 on Nov 3, 2013 | hide | past | favorite | 4 comments


Is it a terrible idea? Yes. Do I do it anyway? Yes. Do I do it with non-mainstream projects I've never heard of? Nope. Does that make it ok? No, of course not, but that's the level of risk I'm willing to accept.

It's not really any different than downloading and installing/executing something like Sublime Text or Alfred.


Amen to that. Everybody boasts about open-source and security but in the end, we just can't just check up every single line of code we get from the internet. There is a line of security people are willing to give up: piping RVM install to shell is okay. Downloading a binary from a shady site just to get a youtube downloader, nope.


It is dangerous... but how often do people verify gpg signatures or less secure yet, sha1 hashes of the download tarballs?

The curl piped into a shell is a bit tooo close to the edge for me.


Wow, this totally makes sense. Better safe than sorry!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: