If your project uses something like "curl/wget <URL> | sudo bash" to perform the , consider fixing this. Tim Serong explains why this is a very bad idea and how it can be fixed :

· · Web · 3 · 8 · 8

Now some may say: "but I could download the shell script beforehand as well and analyze it!"

That usually works, but it is actually possible to deliver a different script depending on if it's downloaded or piped:

Show thread

@lenzgr if I don't trust your script, why would I trust your rpms or debs either? They also run as root.

To me the far more compelling reason for distributing packages of some kind is that I want to know what version I'm getting, otherwise I have no idea what's installed except that its the latest available whenever I last ran the script.

@lenzgr if I want the same software on prod as on staging, or on all members of a cluster, or I want to test a bug fix against a config from 3 weeks ago, this ahistorical garbage is useless

@telent RPMs come with checksums and signatures built-in, so I have a better chance of verifying that they haven't been tampered with. I also can download them and verify/inspect them before installing. And yes, they are versioned.

@lenzgr if you're interested, here's a slightly less ranty discussion for/against curl|bash from when it came up on a few years ago -

Thanks for the reminder. I knew the story before but this is worth to bring it up sometimes.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!