Hacker News new | past | comments | ask | show | jobs | submit | dinozarw's comments login

  # How to use: 
  # curl https://make-firefox-private-again.com | sh
Can we please stop telling people to pipe curl into sh?


pico-8: Python Edition


> To install Zed on most Linux distributions, run the shell script below.

> curl https://zed.dev/install.sh | sh

Please stop telling people to curl pipe scripts into their shell...


Why? I’m going to run their software anyways. And this is a really easy way to run an installer.

This is basically the Linux equivalent of download and double click which is a user flow that is underrated for simplicity and usability.


Completely agree. Furthermore, you could always just not pipe it to sh, read it first if you care so much. Releasing and maintaining packages across a range of distros is extremely hard and time consuming, and they just released the linux version.


I don't see how maintaining a 150 lines script is more convenient and less of a hassle to maintain than having a pipeline building a flatpak, an rpm, a deb and a plain tarball with binaries.

In 2024, everyone looking for a code editor knows how to extract a tar.gz right?


> In 2024, everyone looking for a code editor knows how to extract a tar.gz right?

I'll raise my hand and say I still get the `tar` terminal command options confused and have to pause and figure out the file format I'm dealing with and the options. So, no, I usually don't know, and have to look it up in the manpage/help. "Was it -xvfz for this one? Shit I just did this recently..."


You don't even need a terminal if you can't remember the options. Extracting an archive is done by any half decent file manager.


> Releasing and maintaining packages across a range of distros is extremely hard and time consuming

That's why Flatpak exists


It's time consuming only if author interested in good UX. If author wants to use their users as alpha-testers, then he can spent a minimal amount of time on packaging.


Given that it's open source, it's not the authors' problem to package it. You can package it for your distro, or wait for someone to do it.

It will be better because you presumably use it. Chances are that the authors don't use the same distro as you do, so they are not in a good position to make a package for you.


Of course, nobody forces author to do anything, but insecure installation method will continue to generate loud warning about insecurity.


What makes it insecure?


It's other way around. Any method of installation is insecure by default. Moreover, hackers are able to penetrate even multi-layered security defence systems sometimes (for a short period of time). What makes this 0-security system secure?


I don't think I understand your point?

My argument is that the install method is just piping a curl command to your shell is _no less secure_ than any other typical application install procedure, and the user experience is pretty decent.

I don't think we should be generating "loud warnings" about so called "insecure install methods" nor should we fault the Zed authors for not solving software security.


The point is that when you use a distro, you trust that distro and its maintainers. If you use the package they build for you, then you rely on this trust.

Now if you use a random script from the internet, then you don't give your distro maintainers a chance to actually review the package and instead you blindly trust this script. Arguably you increase your attack surface.

Also a system package manager checks the packages (there is signatures and stuff), whereas piping a script to curl doesn't do that at all. So if the server is compromised, you just execute random code. It's harder to compromise the system package manager.


Curl checks the https certificate.

Distro maintainers in general do not audit the code they package.


> Curl checks the https certificate.

Which is not the same thing as a signature on the package, is it?

> Distro maintainers in general do not audit the code they package.

First, it depends on the distro. Second, they certainly do at least some kind of due diligence before packaging a new project. So there is some amount of selection (which you don't find in npm, cargo or pypi).


Yes, an one 0 security installation method cannot be less secure than an other 0 security installation method. Both are insecure.

However, when source code and compilation instructions are available, an independent maintainer can verify source manually, compile it in isolation, test in it in isolation, make patches, add SELinux rules, make package, then sign the package, to produce a secure package, which can be safely consumed by end users.


Because you don't know how the script is going to try to install the program. A double-click installer on Windows has a standard approach that results in the program being placed in C\Program Files and the files being tracked and an uninstaller being placed in a centralized location. On Linux, any random "installer script" could spew files all over your /usr or anywhere else with no way to clean them up. This could even break your OS.

The Linux equivalent to double-click installer is ... a double-click installer, Flatpak. Or for even more bonus points, make the app fully portable as an AppImage. In the rare case I can't find what I'm looking for in my distribution repos, I look for an AppImage.


> A double-click installer on Windows has a standard approach

Maybe today. In the past, I’ve had them spit stuff all over random places— not to mention registry cruft.


macOS for example checks the crypto signatures of downloaded apps, so it’s much better than randomly executing code from the internet. I think even Windows does this nowadays.


Linux distributions are doing this for 30 years.


Yes, if the script you're running adds a repository and uses the native package manager, which is not always the case.


Indeed!

Just release a flatpak, even a snap.

I’m not asking to support all distros. But at least one between flatpak and snap is enough to support pretty much all distros out there in a clean manner, not with curl | sh


Snap is never the answer. Every time I use snap I always get really sad, it could've been great but instead its incredibly slow. Like unusably slow


but then I will need curl | sh to install snap :(


lol

good stuff snap is in pretty much any distro repo out there :D


That's only for few minutes before I uninstall it.


I always see this comment and understand its reasoning, but people who check what they are installing are the same people who can download and check a shell script.

In this case it's 150 rows with spaces and comments and the first one is

# Downloads the latest tarball from https://zed.dev/releases and unpacks it # into ~/.local/. If you'd prefer to do this manually, instructions are at # https://zed.dev/docs/linux.

Then it's a download, extract and copy stuff around, it takes 1 minute to visually parse

If an install script is obfuscated then yeah, I'd skip it too.


Versus what? Everything you install involves trust at some point.


But linux [1] has absolutely zero security measures, and this has basically free reign over your computer to send off your .ssh folder, your browser cache, to install a permanent keylogger, etc.

[1] Standard “GNU”/linux desktops


True, but where's the difference between downloading a binary and executing it vs. downloading a script and executing that which will then download a binary and execute it?

In both cases, you trust the publisher and in both cases the publisher gets equal access to your machine.

Oh - you mean you're downloading the source code, then audit it, then compile it and only then you run it?

That's super great. That has saved you from the xz backdoor and all other supply chain attacks and will be of great help to you in the future. Let's hope no backdoor ever slips past your code review.


> where's the difference between downloading a binary and executing it vs. downloading a script and executing

The difference is that the attack vector of the shell script is an easier target.

If someone was to be malicious; they could manipulate the script and inject some sort of payload in disguise. It's an easier vector to damage than say an compiled package. One that's less prone to being detected in that the script could go for days undetected.

With the executable you can compare the checksum and with the whole package compiled it is less prone and more tricky to alter.

Unless that script is under monitoring 24/7, I'm going for binary but they don't support BSD anyway.


If I were to serve a targeted exploit like this, I would certainly hide it in the binary and have the binary determine whether it's running in the targeted environment and then run the payload.

It's much, much easier to hide a malicious payload in a binary than an easily auditable shell-script. And it's much easier to make a decision of whether the payload should be enabled or not if you are already running on the local machine.

If you don't trust a publisher, you really can't run anything of theirs. Shell script or, especially, binary.


Well, it can actually check if it’s being downloaded from the browser or from the shell (user-agent), so unless you are downloading it and running the downloaded script, it might still spoof what will get executed. Also, it can itself download other scripts.


See, I wouldn't. I would go for the script to either inject the payload to the package or inject to the host.

Even if it's auditable, how many people are actually verifying the shell script before hand?

You've just been given a command to download and execute.

And the potential of having lots of users downloading a shell script has a quicker attack path than users downloading the package. You have custom repos, holding their own distro packages for the software.


The difference is that i prefer flatpak (:


Obviously most distributions provide package managers that should be used for unified automated update mechanisms and gpg signing. Superior to curl | sh in every way.


It's not uncommon that the curl | sh method actually, among other things, detect what distro you're running and add the repos before installing via the package manager, so in the end it depends on what the script actually does. Atuin does it well for example: https://docs.atuin.sh/guide/installation/ -- and offers other options (as you should).


We're actually not going to be doing that for much longer. Lots of users kept querying how it was installed, where, how to remove it, etc.

The response of "it depends, we probably used your system package manager" was not often well received. Users who know how to use their package manager tended to just do that anyway, and not use the script.


I don't really understand the decision to completely stop doing it. If the script has logic to do A,B,C in different cases, why not just implement an --uninstall flag that does the opposite of A,B,C? Then users don't need to know or care what "type" of installation was done.


Of the three distros I know to more detailed extents, Debian, Arch and RedHat, none of those make it easy to install and keep updated a third-party package through the built-in package manager.

In all cases, signatures and repositories need to be configured, often requiring both root access and usage of the CLI and in all cases much harder than running an installer script (which might be doing exactly these steps).

To achieve easy means of installing using distro package managers means including the application in the distro itself, but now it's beholden to the distro's software update policies and thus stuck on that specific version for years or even decades.

That is not what a v0.something of an end-user centric desktop application wants for themselves.


Very different levels of trust though. And different levels of effort for malware (burning zero-days is expensive).

Also, cleaner uninstalls. If the software only has access to specific directories, I can be reasonably optimistic that removal will be clean.

Furthermore, it is much more convenient. E.g., I can just winget install vscode instead of having to google download links.


> Versus what?

Can Linux have something like the Mac App Store where apps don't have access to the whole system by default?


There's flatpak, which is cross-distro, sandboxed, and is installed by default on most distros. It uses xdg-desktop-portals to request access to files through a desktop-provided file picker.

Sadly code editors aren't really suitable for flatpaks, since they usually require access to dependencies installed on the host. This can be worked around by using dev containers, vor the IDE has to ne developed with sandboxing in Kind (like GNOME Builder).


Do you know difference between alpha, beta, and quality software? Linux distros have different goals, or different channels for different qualities of software, while vendors wants their users to be free alpha or beta testers.


> Nix without Nix

So, GNU Guix?


I have only read about it but my takeaway was that it was like an opinionated sibling technology rather than a successor one.

I don't know what a successor would look like, I worry that it would have to wrangle with 40 years of software compilation techniques.


I would start with Gentoo, which has recipes to build stuff from scratch for just about everything.


I came from fbsd ports so agreed but that's what I'm saying, that's more thsn 20 year old tech and we should be able to improve.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: