undefined | Better HN

0 pointsakerl_12y ago0 comments

So does any package installation where you don't read the source. Piping curl into the shell is bad because the server can choose to serve malicious content to your curl that it didn't show in the browser.

0 comments

3 comments · 2 top-level

IgorPartola12y ago· 1 in thread

Not quite true. Not all packages are created equal. For example anything from PyPI, npm, Ruby Gems, and Homebrew is suspect. On the other hand Debian/Ubuntu or Red Hat repo's are likely much more trustworthy since they have actual paid trusted maintainers who review the source code.

akerl_OP12y ago

Not sure where you got that impression. In lots of cases, package maintainers are people who use the software and are volunteering their time to bundle it up with the necessary bits to put in a distro repo. The same is true of language-specific repos or homebrew.

Crito12y ago

> Piping curl into the shell is bad because the server can choose to serve malicious content to your curl that it didn't show in the browser.

And to head off objections, Piping curl into the shell does not leave any record on disk, unlike the "download .... ./execute" workflow in which it is trivial and natural to insert "and take a quick peek at it too".

Edit: And in the best case scenario, where the script delivered by curl is perfectly innocent, it is still a bad idea since you are left with no authoritative record of what was done. You could run curl again in the future, but that assumes that the same version is delivered, or that the file is still there at all.

j / k navigate · click thread line to collapse