curl https://some-url | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

    • moonpiedumplings@programming.dev
      link
      fedilink
      arrow-up
      1
      ·
      48 minutes ago

      Docker doesn’t do this anymore. Their install script got moved to “only do this for testing”.

      Use a convenience script. Only recommended for testing and development environments.

      Now, their install page recommends packages/repos first, and then a manual install of the binaries second.