curl https://some-url/ | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

  • jagged_circle@feddit.nlEnglish
    11·
    18 hours ago

    All publishing infrastructure shouldn’t be trusted. Theres countless historical examples of this.

    Use crypto. It works.

    • FizzyOrange@programming.dev
      11·
      13 hours ago

      Crypto is used. It is called TLS.

      You have to have some trust of publishing infrastructure, otherwise how do you know your signatures are correct?

      • jagged_circle@feddit.nlEnglish
        11·
        5 hours ago

        TLS is a joke because of X.509.

        We dont need to trust any publishing infrastructure because the PGP private keys don’t live on the publishing infrastructure. We solved this issue in the 90s