curl https://some-url | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

  • moonpiedumplings
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 hours ago

    The non-rolling distros can take a year to update a package, even if they decide to include it.

    There is a reason why they do this. For stable release distros, particularly Debian, they refuse to update packages beyond fixing vulnerabilities as part of a way to ensure that the system changes minimally. This means that for example, if a software depends on a library, it will stay working for the lifecycle of a stable release. Sometimes latest isn’t the greatest.

    Distributions aren’t going to standardize on Arch’s APKBUILD, or Alpine’s almost identical but just slightly different enough to not be compatible PKGBUILD

    You swapped PKBUILD and APKBUILD 🙃

    I’m starting to think something like a yay that installs into $HOME.

    Homebrew, in theory, could do this. But they insist on creating a separate user and installing to that user’s home directory