"curl -fsSL https://... | alt Hacker News

jwr • today at 2:41 PM • 10 replies • view on HN

"curl -fsSL https://pi.dev/install.sh | sh" — seriously? That tells me a lot about the whole project, unfortunately.

Replies

throwaway2027 • today at 2:45 PM

Claude Code does it the same way (which doesn't excuse it obviously) but still.

curl -fsSL https://claude.ai/install.sh | bash

https://code.claude.com/docs/en/quickstart

➕ show 1 reply

mik3y • today at 2:47 PM

I am genuinely curious what it tells you, as "curl https//.. | sh" has long been an enormously popular approach to distribution in the open source world. Homebrew, to name just one example, advertises a similar method.

(pi.sh also documents other install methods, like `npm`, on their homepage)

If trust and security is the issue, unfortunately "better" ideas like hashpipe [1] never achieved critical mass

    [1] https://news.ycombinator.com/item?id=9318286

➕ show 3 replies

sippeangelo • today at 3:03 PM

Seriously, what is the threat model here?

➕ show 2 replies

efficax • today at 2:50 PM

it tells you they're just like basically every other CLI targeting project for the last 15 years? I mean is it a big security hole we all accept, yes, it is. But it's not really indicative of much. That's also how I install rust.

➕ show 1 reply

Arubis • today at 2:48 PM

I get this, and would recently have had a similar reaction. But I have to ask: do you typically run your agent harness in yolo mode?

horsawlarway • today at 2:51 PM

Yeah, totally reasonable comment given the utter security that must come from anthropic with their installer, amiright?

oh wait...

"curl -fsSL https://claude.ai/install.sh | bash"

(right from https://claude.com/product/claude-code)

Further - what the flicking fuck do you think an installer is going to do on your system? Not run any commands? Because I've written installers for every platform... they ALL can run commands.

So what exactly is the complaint in this comment? If you want to go read the install script - knock yourself out (or hell, point your agent at it...).

➕ show 1 reply

qarl2 • today at 3:03 PM

My dude - if you're going to trust them then you're going to trust them.

You think it's hard to obfuscate shell calls from inside a built executable?

What it tells us is that you're probably searching for reasons to grouse about AI.

tuvix • today at 2:44 PM

both the Julia and Rust programming languages use curl -> sh to install

➕ show 1 reply

plagiarist • today at 2:49 PM

In general I agree with you, but on the other hand it is an agentic coding agent you should have isolated in a container or VM anyway

lo0pback • today at 2:43 PM

[dead]