curl https://some-url | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

  • @[email protected]English
    72 months ago

    How do I know the maintainers of the repo haven’t gone rogue and are now distributing malware?

    Depends on the repo but at least for Debian, there’s a path of trust between GPG keys I’ve signed and the Debian release GPG keys.

    • @[email protected]
      52 months ago

      How do you know that the malware goblin hasn’t installed malware on your computer when you weren’t looking?

      I think the only foolproof plan is using boulders, stones, and perhaps other blunt objects to deal with the issue of code executing altogether.

        • @[email protected]
          12 months ago

          If there’s code running on a machine, there’s a possibility it’s malicious or unsafe, the only solution is destruction of anything that can run code.