$ curl ${flags} https://site.io/install.sh | sh $ curl ${flags...

stouset • last Tuesday at 6:16 PM • 1 reply • view on HN

    $ curl ${flags} https://site.io/install.sh | sh

    $ curl ${flags} https://site.io/tool > ./tool
    $ chmod u+x ./tool
    $ ./tool

Both of these are effectively the same damn thing but everyone loses their minds over the first one.

Also, a lot of those install scripts do check signatures of the binaries they host. And if you’re concerned that someone could have owned the webserver it’s hosted on, then they can just as easily replace the public key used for verification in the written instructions on the website.

Replies

shakna • last Tuesday at 7:24 PM

I'm not advocating for either of those.

    pacman -Sy {tool}
    pkg_add {tool}
    apt install {tool}

Even the AUR does a lot more to make you secure, than a straight curl - even though throwing things up there is easy.

alt Hacker News

Replies