curl|bash Installation Safety

Curl|bash isn't any less safe than installing from random a ppa, or a random npm or pip package. Or a random browser extension or anything. The problem is the random, not the shell script. If you don't trust it, don't install it. Also thinking that sudo is the big danger nowadays is also a red herring. Your personal files getting stolen or encrypted by ransomware is often worse than having to reinstall the OS.

It's not just a security thing. If you install something via curl|bash, how do you uninstall it? How do you update it? Do you know what it did to your machine? What config files it touched?

My problem with curl|bash is not that the script might be malicious - the software I'm installing could equally be malicious. It's that it may be written incompetently, or just not with users like me in mind, and so the installation gets done in some broken, brittle, or non-standard way on my system. I'd much rather download a single binary and install it myself in the location I know it belongs in.

Yeah, the curl|bash approach is approximately as safe as basically any other software installation method, if you trust the owner of the URL as much as you trust the maintainers of NPM, Pypi, etc.

Piping a url into bash is not more or less risky than downloading a windows binary, installing a snap, installing a npm/composer/whatever package with post-install hooks, downloading a binary for your Mac.It's impossible to read every line of code we execute (many of which are closed source anyway).Downloading a large script and reading it before running it in bash is also hardly good security measure.It's much more practical to teach people how to recognize trustwor

But you have exactly the same problem with downloading a binary, or running pip install. You have no idea what that code does, so curl | bash doesnt hurt any more than any other normal methods of installation.

You are essentially asking what is safer than running arbitrary code from the internet sight unseen directly into your shell and I guess my answer would be any other standard installation method!The OS usually has guardrails and logging and audits for what is installed but this bypasses it all.When you look at this from an attackers perspective, it’s heaven.My mom recently got fooled by a scammer that convinced her to install remote access software. This curl pattern is the exact same v

Sure. Trust. But shell script at least gives easy means to have a glimpse what is it going to do.As legitimate websites of software have been breached to serve infected packages (like CCleaner[1]) or otherwise fraudulent content (even kernel.org[2]), I always shudder a bit, when I see being asked to pipe something directly from curl to a (root) shell.1. <a href="https://www.extremetech.com/internet/256238-ccleaner-infection-severe-thought-targeted-microsoft-google-samsu

I don't see how this is less secure than downloading a program and running it. Or downloading some package that asks you to run an install script.People will see no problem with curl | sh as long as they feel they can trust the source/site asking them to do so. They will be running the same risk as with downloading binaries or install packages.

Hardly different from downloading random binary installers and executing them. Or random source distributions and (sudo) make install. Or npm/pip/cargo/etc. install random packages. Before anyone mentions distros and package managers, as a former team member of a major package manager I can assure you we don’t vet shit beyond project notability, and new versions are accepted semi-automatically. We’ll yank something after the fact if you report a malicious update, sure.curl | ba