curl https://some-url | sh
I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?
I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?
I hate this, but I’ve mentioned before in the other threads related to this that I make an exception for package managers due to their ability to install packages themselves.
Systems that protect people mean bureaucracy. And bureaucracy means slowness. It means many niche libraries or programs won’t get packaged. It means that it won’t get updated to the latest version immediately either, even if they receive security updates.
But as a consequence of these systems, Debian 12 remained entirely untouched by the XZ backdoor, when almost every other distribution was hit. That’s a pretty big deal.
As a consequence of a lack of these systems, many Windows programs are still floating around with vulnerable versions of curl, having included the software into their “package” but never bothering to update it.
I care more about the security of the users than the feelings of the developers. It’s that simple. Developers are a tiny fraction of total computer users. The needs of the many outweigh the wants of the few.