undefined | Better HN

0 pointsalways2slow2y ago0 comments

Thanks but... no thanks, you've missed my point entirely. Why would I want to run peer to peer software built by developers whose security stance starts with curl-bash? Would you curl-bash a webserver? an email server? No? Probably even worse for your source code repository then right?

0 comments

LegibleCrimson2y ago

The problems with curl-bash are overblown. You are pretty much exactly as vulnerable running pip install, npm install, or cargo install.

Not that curl bash is great, but it's not uniquely horrible when the goal is to run some unvetted code on your machine.

If you care about security, you have to either vet the code or trust the source. When you install through your package manager, you're trusting the maintainers. When you install from curl bash, a random website, or any unvetted software source, you are electing to trust the developers or site directly.

saurik2y ago

The big difference with curl|bash is that the download itself gets to execute in the context of the computer as it is downloading, which is a super power that makes it much easier to hide behaviors as you can make it extremely difficult for people to ever be able to just download a dead copy of the script to analyze it for malware.

mixmastamyk2y ago

Packages on those systems do get blocked at times. So no, not as risky.

andrewaylett2y ago

The counterpoint would be: you're intending to run their code, if it's malicious then you're hosed anyway.

In bygone times, one might suffer from a truncation attack or otherwise end up running arbitrary code that's not what the vendor intended. Nowadays, there's really no security difference in curl|bash vs downloading a package and running it. Or, indeed, installing using `cargo install`.

That doesn't mean I'm happy running it, but my argument against it is less a security argument and more a predictability one: I want to be able to cleanly uninstall later, and package managers normally provide more consistent support for uninstalling than an arbitrary shell script.

LegibleCrimson2y ago

The cleanup and uninstall concern is one of the reasons I run as many things in containers as I can. It's so easy to blow away a container and its volumes compared to traditional software uninstallation.

mplewis2y ago

Yeah, it’s much better to npx something or install a package off the AUR. Definitely much safer.

j / k navigate · click thread line to collapse

0 comments

LegibleCrimson2y ago

The problems with curl-bash are overblown. You are pretty much exactly as vulnerable running pip install, npm install, or cargo install.

Not that curl bash is great, but it's not uniquely horrible when the goal is to run some unvetted code on your machine.

saurik2y ago

mixmastamyk2y ago

Packages on those systems do get blocked at times. So no, not as risky.

andrewaylett2y ago

The counterpoint would be: you're intending to run their code, if it's malicious then you're hosed anyway.

LegibleCrimson2y ago

mplewis2y ago

Yeah, it’s much better to npx something or install a package off the AUR. Definitely much safer.

j / k navigate · click thread line to collapse