For Ubuntu 24.10, we should patch bash so that when it's given content on stdin, it checks the process tree and if the sending process is curl, launches x-www-browser with a page on basic Internet safety instead of executing the command.
@vorlon curl | /lib64/ld-linux-x86-64.so.2 /dev/stdin
(no it doesn't actually quite work ... sadly?)
An option could be added to allow the script to be executed if you provide a SHA384 hash of the contents in the bash arguments. That would address some of the risks, but not all of them.
Of course people will find ways to bypass the protection:
wget -O - example.com | cat | /bin/sh
@vorlon Imagining all the trendy projects this would break
@noam this may or may not be a subtoot of https://mastodon.social/@vorlon/112338469017660673