alt Hacker NewsI'm always a bit shocked how casual people people wget and execute shell scripts as part of their install process.
This is the equivalent of giving an author of a website remote code execution (RCE) on your computer.
I get the idea that you can download the script first and carefully read it, but I think that 99% of people won't.
Replies
The thing that gets installed, if it is an executable, usually also has permissions to do scary things. Why is the installation process so scrutinized?
Even assuming it’s not malicious, the script can mess up your environment configuration.
Equally I don't like how many instructions and scripts everywhere use shorthands.
Sometimes you see curl -sSLfO. Please, use the long form. It makes life easier for everybody. It makes it easier to verify, and to look up. Finding --silent in curl's docs is easier than reading through every occurrence of -s.
curl --silent --show-error --location --fail --remote name https://example.com/script.sh
I’m always a bit shocked how seriously people take concerns over the install script for a binary executable they’re already intending to trust.