undefined | Better HN

0 pointstim--11mo ago0 comments

> in a reasonably secure fashion

It's trivial for a remote server to hand two different versions of a script with the traditional `curl | bash` pipeline. https://lukespademan.com/blog/the-dangers-of-curlbash/

There is 0 validation that the script that you are piping into bash is the script that you expect. Even just validating the command by copying and pasting the URL in a browser -- or using curl and piping into more/less is not enough to protect you.

0 comments

bee_rider11mo ago

>> Except curl | bash definitely executes code by the author controlling the URL you put in, and if the URL is HTTPS, in a reasonably secure fashion.

> It's trivial for a remote server to hand two different versions of a script with the traditional `curl | bash` pipeline.

I’m confused by this; it seems to be written in the tone of a correction but you both seem to be saying that you get whatever the server sends. (?)

tim--OP11mo ago

> you both seem to be saying that you get whatever the server sends

Yes, but I am also saying that you can't verify that the script that is run on one machine with a pipe is the same script that runs on a second machine with a pipe.

The key part of the original statement is the server can choose to send different scripts based on different factors. A curl&bash script on machine 1 does not necessarily mean the same curl&bash script will be run on machine 2.

The tooling provided by a `curl | bash` pipeline provides no security at all.

With winget, there is at least tooling to be able to see that the same file (with the same hash) will be downloaded and installed.

There are ways to do this better, for example, check out https://hashbang.sh. It includes a GPG signature that is verified against the install script, before it is passed to curl.

ToValueFunfetti11mo ago

The parent is talking about MITM, which is prevented with TLS and curl but not winget. They are saying curl is strictly better, not that it is impenetrable. If you trust the domain owner, you can trust curl | bash, but you can't trust winget

tim--OP11mo ago

Why can't I trust winget?

It's not hard to run the `show` command to see what a winget install will do. https://learn.microsoft.com/en-us/windows/package-manager/wi...

It's easy enough to view the manifests (eg, https://github.com/microsoft/winget-pkgs/blob/2ecf2187ea0bf1...) and arguably, is better then the protection for MITM that you would get using naked cURL & Bash, simply because there are file hashes for all of the installer files provided by a third party.

> They are saying curl is strictly better, not that it is impenetrable

Right. But it arguably is not strictly better.

> You can't trust winget

Again, this is not backed up by anything. I have trust in winget. I can trust that the manifest has at least been vetted by a human, and that the application that will be installed should be the one that I requested. I can not trust that this will happen with curl | bash. If the application that is installed is not the one that I requested, there is tooling a process to sort out why that did not happen, and a way to flag it so that it doesn't happen to other users. I don't have this with curl | bash.

j / k navigate · click thread line to collapse

0 comments

bee_rider11mo ago

>> Except curl | bash definitely executes code by the author controlling the URL you put in, and if the URL is HTTPS, in a reasonably secure fashion.

> It's trivial for a remote server to hand two different versions of a script with the traditional `curl | bash` pipeline.

I’m confused by this; it seems to be written in the tone of a correction but you both seem to be saying that you get whatever the server sends. (?)

tim--OP11mo ago

> you both seem to be saying that you get whatever the server sends

Yes, but I am also saying that you can't verify that the script that is run on one machine with a pipe is the same script that runs on a second machine with a pipe.

The tooling provided by a `curl | bash` pipeline provides no security at all.

With winget, there is at least tooling to be able to see that the same file (with the same hash) will be downloaded and installed.

There are ways to do this better, for example, check out https://hashbang.sh. It includes a GPG signature that is verified against the install script, before it is passed to curl.

ToValueFunfetti11mo ago

tim--OP11mo ago

Why can't I trust winget?

It's not hard to run the `show` command to see what a winget install will do. https://learn.microsoft.com/en-us/windows/package-manager/wi...

> They are saying curl is strictly better, not that it is impenetrable

Right. But it arguably is not strictly better.

> You can't trust winget

j / k navigate · click thread line to collapse