vultour 10 months ago

This is no different from installing a random package through a package manager. If you're running "curl pipe sh" because an email told you to, that's on you.

Reply View 8 replies
  • craftkiller 10 months ago

    No it isn't. Package managers verify the cryptographically signed package. That means the package can be built on a secure server, and then if a mirror becomes malicious or gets compromised, the malicious package won't have a valid signature so the package will not be installed. Running curl and piping it into sh means that not only could a malicious mirror or compromised server execute anything they want on your computer, but they could even send a different script when you curl it into sh vs when you view it any other way, making it much harder to detect[0].

    [0] https://web.archive.org/web/20240213030202/https://www.idont...

    Reply View 6 replies
    • dylan604 10 months ago

      I think the npm repos would like to have a word with you. Sure glad we've never had a cryptographically signed malicious package delivered via npm install

      Reply View 4 replies
      • craftkiller 10 months ago

        Thats like not wearing a seatbelt because you can still be crushed by a truck. Don't let perfect be the enemy of good. Package managers prevent some attacks that are possible via curl | sh. Some other attacks are still possible. It is still better than not cryptographically verifying the package.

        Reply View 3 replies
    • _hyn3 10 months ago

      The tremendous number of attacks delivered via trusted package repos versus the number of widespread attacks via curl | sh (probably roughly zero) means that, theories aside, one of these is far more commonly abused than the other.

      Reply View 0 replies
  • thephyber 10 months ago

    Both are examples of developer-types doing risky things, which was my point and also supports my point that developers are not exclusively better secured than non-developer types.

    Reply View 0 replies