IshKebab 2 days ago

Almost like it's actually fine.

https://medium.com/@ewindisch/curl-bash-a-victimless-crime-d...

Reply View 17 replies
  • uecker 2 days ago

    It is definitely not fine. The argument seems to be that since you need to trust somebody, curl | bash is fine because you just trust whoever controls the webserver. I think this is missing the point.

    Reply View 15 replies
    • oddmiral 2 days ago

      s/webserver/DNS/

      Reply View 3 replies
      • arthur2e5 2 days ago

        HTTPS is there, so you go down to that level only if you want to distrust any element of the public key infrastructure. Which, to be fair, there are plenty of reasons if you are paranoid -- they do tell you who's doing what in a shady way as they revoke, so there's a huge list of transgressions.

        Reply View 2 replies
    • whyever 2 days ago

      It's missing which point?

      Reply View 9 replies
      • uecker 2 days ago

        That you should be very careful about what you install. Cut&pasting some line from a website is the exact opposite of it. This is mostly about psychology and not technology. But there are also other issues with this, e.g. many independent failure points at different levels, no transparency, no audit chain, etc. The counter model we tried to teach people in the past is that people select a linux distribution, independently verify fingerprints of the installation media, and then only install packages from the curated a list of packages. A lot of effort went into making this safe and close the remaining issues.

        Reply View 8 replies