alt Hacker News>> Except curl | bash definitely executes code by the author controlling the URL you put in, and if the URL is HTTPS, in a reasonably secure fashion.
> It's trivial for a remote server to hand two different versions of a script with the traditional `curl | bash` pipeline.
I’m confused by this; it seems to be written in the tone of a correction but you both seem to be saying that you get whatever the server sends. (?)
> you both seem to be saying that you get whatever the server sends
Yes, but I am also saying that you can't verify that the script that is run on one machine with a pipe is the same script that runs on a second machine with a pipe.
The key part of the original statement is the server can choose to send different scripts based on different factors. A curl&bash script on machine 1 does not necessarily mean the same curl&bash script will be run on machine 2.
The tooling provided by a `curl | bash` pipeline provides no security at all.
With winget, there is at least tooling to be able to see that the same file (with the same hash) will be downloaded and installed.
There are ways to do this better, for example, check out https://hashbang.sh. It includes a GPG signature that is verified against the install script, before it is passed to curl.