undefined | Better HN

0 pointsjacobscott10y ago0 comments

If the script source is on github and isn't run under sudo, is there a meaningful difference between curl | sh and apt-get install from a PPA, gem/pip install, etc?

0 comments

whorleater10y ago

Meaningful? In most cases no, but since we're already talking about security, curl'ing the shell script from github exposes you to another attack vector, like MITM'ing the script.

jacobscottOP10y ago

The software has to be distributed somehow, right? Probably over https? What makes curl more susceptible to MITM than apt-get/pip/gem/etc?

I don't particularly like curl | sh either, but without sudo, I'm not sure how much it /really/ differs, security wise, from other options.

Edit: real package managers have improved features compared to curl, as outlined in another branch of the comments.

dchanm10y ago

If you want to be extra cautious you can verify that the script hasn't changed with our release key

https://patchworksecurity.com/releases.txt

The latest release (2.0.0) has been signed by my key 0x85C64E20

j / k navigate · click thread line to collapse