curl https://some-url/ | sh
I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?
I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?
You’re not wrong, but there’s an element of trust in anything like this and it’s all about your comfort level. How can you truly trust any code you didn’t write and complie yourself. Actually, how do you trust the compiler.
And let’s be honest, even if you trust my code implicitly (Hey, I’m a bofh, what could go wrong?) then that simply means that you’re trusting me not to do anything malicious to your system.
Even if your trust is well-placed in that regard, I don’t need to be malicious to wipe your system or introduce a configuation error that makes you vulnerable to others, it’s perfectly possible to do all that by just being incompetent. Or even being a normally competent person who was just having a bad day while writing the script you’re running now. Ooops.
This is the primary goal of distros these days.