undefined | Better HN

0 pointsjjnoakes8y ago0 comments

Why would you be using a random ip? That incantation is usually used with a URL where you would have just downloaded and installed the software manually anyway.

There are various arguments against the curl-piped-to-shell idiom but "random ip" doesn't seem like a valid one.

0 comments

shakna8y ago

A URL and an IP are not equal.

Building a script that acts differently for a web browser, a normal download, and curl, is trivial, and I've seen it happen. Here's a proof-of-concept[0] someone else wrote.

Manually downloading is safer, at least you can review, curling straight into a shell is inherently unsafe.

The better option is still a package manager, but curling straight to a shell is very unsafe.

[0] https://jordaneldredge.com/blog/one-way-curl-pipe-sh-install...

jjnoakesOP8y ago

Why would you be using an IP and not a URL?

And why wouldn't you trust the source of the install script as much as any other installer?

Do you audit the binary installers you use as well?

I don't disagree about a minor difference between the methods, but I definitely disagree with piping to sh being "very unsafe". If you trust the site/author enough to run their code on your computer at all, the install method risk difference is but a tiny drop in the bucket.

shakna8y ago

> If you trust the site/author enough to run their code on your computer at all

Piping curl, means you can't be sure it came from the author's site.

It means you can't be sure you're getting the same software you've been considering installing.

It means a broken connection is a broken install, with no cleanup and no idea what it has changed.

> Do you audit the binary installers you use as well?

Don't install random binaries either. The security implications of that should be fairly obvious.

2 more replies

j / k navigate · click thread line to collapse

0 comments

shakna8y ago

A URL and an IP are not equal.

Building a script that acts differently for a web browser, a normal download, and curl, is trivial, and I've seen it happen. Here's a proof-of-concept[0] someone else wrote.

Manually downloading is safer, at least you can review, curling straight into a shell is inherently unsafe.

The better option is still a package manager, but curling straight to a shell is very unsafe.

[0] https://jordaneldredge.com/blog/one-way-curl-pipe-sh-install...

jjnoakesOP8y ago

Why would you be using an IP and not a URL?

And why wouldn't you trust the source of the install script as much as any other installer?

Do you audit the binary installers you use as well?

shakna8y ago

> If you trust the site/author enough to run their code on your computer at all

Piping curl, means you can't be sure it came from the author's site.

It means you can't be sure you're getting the same software you've been considering installing.

It means a broken connection is a broken install, with no cleanup and no idea what it has changed.

> Do you audit the binary installers you use as well?

Don't install random binaries either. The security implications of that should be fairly obvious.

2 more replies

j / k navigate · click thread line to collapse