undefined | Better HN

0 pointsmaccard5y ago0 comments

> You can inspect the code if you're concerned and validate that it's going to do what it says.

You can just not pipe the curl script to shell and inspect it [0]. Executing that is no worse than executing a random make command or `brew install`

> downloading the script first and inspecting it is a good idea, but still not as good as building directly from the code

No, you need to inspect the code too if you're that worried. I can write a makefile that just does this: build: curl http://example.com -o bad.txt && cat bad.txt

Either you're actually vetting what you run on your machine, or you're not. curl | sh isn't any worse than git clone && make.

> This is why we see people do things like publish a hash sum alongside binaries they offer, or use a digital signature. Then we can at least verify that a binary matches what the author says they released, or better yet ensure that the binary was produced by a trusted source.

So just publish the hash/signature next to "install instructions" that contains the curl command, and let the user verify the hash themselves. Again, that has nothing to do with the install method.

[0] https://pastebin.com/atHcYR8x

0 comments

1 comments · 1 top-level

saxonww5y ago

First: I apologize for not reading your original post closely enough. I agree that "curl | sh" is no worse than "git clone && make"; I think both are terrible. I will say that I can't recall ever seeing anyone recommend "git clone && make".

It sounds like we agree that blindly downloading code and building/executing it is a bad idea. That's all I was trying to assert.

There's a spectrum of safe/acceptable between "download a random binary" and "build yourself, from trusted source". I think "curl | sh" and "git clone && make" are just one step above "download a random binary" on that spectrum. We can and should do better than that.

j / k navigate · click thread line to collapse