alt Hacker News> in a reasonably secure fashion
It's trivial for a remote server to hand two different versions of a script with the traditional `curl | bash` pipeline. https://lukespademan.com/blog/the-dangers-of-curlbash/
There is 0 validation that the script that you are piping into bash is the script that you expect. Even just validating the command by copying and pasting the URL in a browser -- or using curl and piping into more/less is not enough to protect you.
Replies
ToValueFunfetti • 06/25/2025
The parent is talking about MITM, which is prevented with TLS and curl but not winget. They are saying curl is strictly better, not that it is impenetrable. If you trust the domain owner, you can trust curl | bash, but you can't trust winget
➕ show 1 reply
>> Except curl | bash definitely executes code by the author controlling the URL you put in, and if the URL is HTTPS, in a reasonably secure fashion.
> It's trivial for a remote server to hand two different versions of a script with the traditional `curl | bash` pipeline.
I’m confused by this; it seems to be written in the tone of a correction but you both seem to be saying that you get whatever the server sends. (?)