undefined | Better HN

0 pointsgeofft9y ago0 comments

"curl | sh" is no worse than "wget && tar xf && ./configure". I have yet to see anyone who knows how to audit a configure script generated by GNU autoconf, which is generally a multiple-tens-of-thousands-of-line monstrosity that generates a bunch of C files and compiles and runs them. FUD about "curl | sh" isn't rooted in any sensible security modeling.

As a general rule of thumb, if you think everyone around you is independently doing something stupid, you should first pursue the hypothesis that it is your reasoning that is flawed and not the entire rest of the world's.

0 comments

feld9y ago

But you're verifying the signature of the tarball first, right?

geofftOP9y ago

Almost all of the examples on that page use curl https:// | sh. Which, again, makes it a superior option to wget && gpg --verify && ./configure; I have yet to see anyone who is better at PGP fingerprint verification than their OS's SSL stack is at TLS certificate verification. (There are a very small number of people who are as good, but not better.)

j / k navigate · click thread line to collapse

0 pointsgeofft9y ago0 comments

0 comments

feld9y ago

But you're verifying the signature of the tarball first, right?

geofftOP9y ago

j / k navigate · click thread line to collapse