curl https://some-url/ | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

  • easily3667
    link
    fedilink
    English
    arrow-up
    1
    ·
    6 hours ago

    Gonna ignore nix since they have two users, but flatpak is fair. However flatpak is a sandboxing scheme which is distinct from per-user installs. In many cases it can be the better route but not always. I think the reason it’s popular on Linux is also the dll hell problem.

    • brian@programming.dev
      link
      fedilink
      arrow-up
      1
      ·
      31 minutes ago

      idk if 2 users is fair, it may just be my circles but I see nixos mentioned more than almost anything else on lemmy/hn/etc in the past couple years