curl | sh. It's easy to miss the problem if you're still in the mindset of Windows software distribution, but these people are writing software on GNU/Linux, for GNU/Linux. You would think they'd realize that this is *never* a good idea.
curl foo | sh is basically equivalent to running precompiled binaries or the huge dependency mess that we have these days (simple programs pulling in 47289 libraries). We run completely untrusted code all the time and nobody cares anymore. The idea of eliminating distributions (which at least provide *some* layer of quality control) pops up again and again. A curl foo | sh is probably the *least* harmful thing these days, because it’s the easiest issue to fix.(Meh: Rust’s
curl https://sh.rustup.rs | sh downloads a 15 MB binary that does god-knows-what.)Or am I missing the point? 🤔
curl foo | sh is basically equivalent to running precompiled binaries or the huge dependency mess that we have these days (simple programs pulling in 47289 libraries). We run completely untrusted code all the time and nobody cares anymore. The idea of eliminating distributions (which at least provide *some* layer of quality control) pops up again and again. A curl foo | sh is probably the *least* harmful thing these days, because it’s the easiest issue to fix.(Meh: Rust’s
curl https://sh.rustup.rs | sh downloads a 15 MB binary that does god-knows-what.)Or am I missing the point? 🤔
curl foo | sh is basically equivalent to running precompiled binaries or the huge dependency mess that we have these days (simple programs pulling in 47289 libraries). We run completely untrusted code all the time and nobody cares anymore. The idea of eliminating distributions (which at least provide *some* layer of quality control) pops up again and again. A curl foo | sh is probably the *least* harmful thing these days, because it’s the easiest issue to fix.(Meh: Rust’s
curl https://sh.rustup.rs | sh downloads a 15 MB binary that does god-knows-what.)Or am I missing the point? 🤔
@movq I just don't want to run such crapware. Browser, mail client and video player aside, I think I don't do too bad on that regard with my private stuff. Yeah, definitely ignoring the situation at the dayjob.
@prologic Only for Rust. Otherwise I stay away from that for sure.
curl | sh so much worse in my opinion.https://web.archive.org/web/20240311094552/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
(In the case of the Rust installer, I still wonder why they go through the trouble of having a shell script (POSIX, portable, even runs on Windows apparently), when all it does is download a binary and run that. Is that super useful to people, yeah? I’m sure there’s some reason, I just don’t see it.)
(In the case of the Rust installer, I still wonder why they go through the trouble of having a shell script (POSIX, portable, even runs on Windows apparently), when all it does is download a binary and run that. Is that super useful to people, yeah? I’m sure there’s some reason, I just don’t see it.)
(In the case of the Rust installer, I still wonder why they go through the trouble of having a shell script (POSIX, portable, even runs on Windows apparently), when all it does is download a binary and run that. Is that super useful to people, yeah? I’m sure there’s some reason, I just don’t see it.)