Hacker News new | comments | show | ask | jobs | submit login
On the curl | sh pattern (emillon.org)
19 points by emillon on Dec 27, 2014 | hide | past | web | favorite | 6 comments



This article completely neglects to mention the other dangers of this pattern, namely what happens when the connection drops mid download[1] or the server responds differently based on user-agent or IP[2].

[1] http://www.seancassidy.me/dont-pipe-to-your-shell.html

[2] http://www.djm.org.uk/protect-yourself-from-non-obvious-dang...


RVM, pow, heroku, homebrew... all things I had to deal with as a Ruby developer. I was shocked at how often it is recommended when I had to set up a new Ruby dev environment on OSX.

Too bad seeing Rust following that trend as well. I was hoping new platforms would evolve past that


Rust doesn't do it, Cargo does. And it's only doing it until Rust reaches 1.0, by which time there will be a proper bundled Rust+Cargo installer. And it's downloading over HTTPS without disabling the certificate check, which is the least egregious form of this (and frankly, if you can't trust that your TLS sessions aren't being hijacked you have a bigger problem).


Is there a better platform-independent option?


It is not platform independent because it will never work on windows. A two step procedure of 1. picking the OS/distro and 2. the few lines to safely install on that system is hardly more complicated imho. Much safer though


https://get.docker.com/ does this too. Though I feel like they do a much better job than Adobe, when I download Flash from http and don't know what the installer does.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: