vultour 6 hours ago

This is no different from installing a random package through a package manager. If you're running "curl pipe sh" because an email told you to, that's on you.

Reply View 6 replies
  • thephyber 15 minutes ago

    Both are examples of developer-types doing risky things, which was my point and also supports my point that developers are not exclusively better secured than non-developer types.

    Reply View 0 replies
  • craftkiller 6 hours ago

    No it isn't. Package managers verify the cryptographically signed package. That means the package can be built on a secure server, and then if a mirror becomes malicious or gets compromised, the malicious package won't have a valid signature so the package will not be installed. Running curl and piping it into sh means that not only could a malicious mirror or compromised server execute anything they want on your computer, but they could even send a different script when you curl it into sh vs when you view it any other way, making it much harder to detect[0].

    [0] https://web.archive.org/web/20240213030202/https://www.idont...

    Reply View 4 replies
    • dylan604 5 hours ago

      I think the npm repos would like to have a word with you. Sure glad we've never had a cryptographically signed malicious package delivered via npm install

      Reply View 2 replies
      • craftkiller 4 hours ago

        Thats like not wearing a seatbelt because you can still be crushed by a truck. Don't let perfect be the enemy of good. Package managers prevent some attacks that are possible via curl | sh. Some other attacks are still possible. It is still better than not cryptographically verifying the package.

        Reply View 1 reply
        • dylan604 3 hours ago

          That's like moving the goal posts so you can still try to have a point after the fact. Your comment suggested that package manager was secure while curl | sh isn't because the package manager won't have a valid signature. That's only if the package manager was compromised. A code package that is built to be malicious will still get signed by your manager. Only now, people think they are secure because it was signed.

          Reply View 0 replies
    • _hyn3 3 hours ago

      The tremendous number of attacks delivered via trusted package repos versus the number of widespread attacks via curl | sh (probably roughly zero) means that, theories aside, one of these is far more commonly abused than the other.

      Reply View 0 replies