undefined | Better HN

0 pointsdpwm4y ago0 comments

I don’t think I’ve seen anybody insist curl | sh is fine from untrusted sources.

In many contexts, curl | sh is an alternative to adding some kind of additional repository to install a third party package — and in most package managers this is done as root anyway, with arbitrary pre-install and post-install scripts.

I’m not really sold on how curl | sh (with https) is any less secure than blindly following steps to add a repo.

I used to strongly dislike curl | sh, and if there’s some looming security risk beyond accidentally trusting bad actors who couldn’t be bothered to go to all the effort of setting up a repo then I’d genuinely like to know.

0 comments

Sophira4y ago

I have seen plenty of curl | sh invocations that pass the "-k" flag to curl, meaning that curl will allow insecure connections even if there are invalid SSL/TLS certificates.

eyelidlessness4y ago

You can detect curl | sh server-side and respond with different content than the inspectable source. The link I typically cite isn’t loading for me but you should be able to find more info if you’re curious.

j / k navigate · click thread line to collapse