Have you ever found a GitHub project or anything that seemed nice and tempting to install until you dug a bit deeper?
What are some red flags that should detur anyone from installing and running something?
Have you ever found a GitHub project or anything that seemed nice and tempting to install until you dug a bit deeper?
What are some red flags that should detur anyone from installing and running something?
Some mature projects still do curl .sh, like pivpn and pihole.
which makes sense because they don’t maintain packages on the dozens of different package manager repos.
IMO it’s kind of bogus to knock a project for having a shell install file.
Eh, I’d be more sympathetic if there weren’t a dozen different alternatives to making this exclusively how people install your software.
It’s a virus delivery system waiting to happen. Especially now when you have AI that can help you stand up an imposter site quickly and easily.
If it’s not open source or you are not compiling it:
Why so much fear about the shell script but no fear from the executable?
If it’s open source and you are compiling it:
If you don’t fear the project because you (presumably) have read the source code and determined that it’s fine, why fear a shell script that is most certainly simpler, and you can read it like the rest of the code?
it’s not the impact to the user having dozens of choices.
it’s the impact to the developer to having to maintain the packages for dozens of package repo admins that have each their own special requirements for packages that have to be followed. it’s a huge pita that most companies don’t even bother with and just run their own package repo.
IMO the user isn’t blameless when using an install script. anyone who just blindly runs arbitrary code without reading it is a fool asking to be attacked.
Exactly, it’s a shift in responsibilities from the developers of a thing to the users of that thing.
As a grunt at work and a mid-tier “money haver” at best, I’m tired of having everything shift its costs onto me and it’s a red flag that prevents me from installing and running a software package.
Everything around nowadays does this shift if they can get away with it.
I have to set limits on what I tolerate to achieve what gain or the world will leave me dead with a giant tire mark across my chest.
as a foss dev, your problems aren’t my problems.
As a sporadic foss contributor and foss advocate, I ain’t even installing your shit if the only install option is curl pipe to shell.
And I also do think it’s a red flag exactly like the original poster was looking for.
if you’re dumb enough to pipe curl to bash you deserve everything you get.
rtfs
I hate Windows partially because you have to download a bunch of random executables. Making that same security hole into a one liner in bash and making that the only install supported is not an improvement in any way.