top | item 39608347

(no title)

This is an overreaction, almost to the point of absurdity.

Risks inherent to pipe installers are well understood by many. Using your logic, we should abandon Homebrew [1] (>38k stars on GitHub), PiHole [2] (>46k stars on GitHub), Chef [3], RVM [4], and countless other open source projects that use one-step automated installers (by piping to bash).

A more reasonable response would be to coordinate with the developers to update the docs to provide alternative installation methods (or better detail risks), rather than throwing the baby out with the bathwater.

[1] https://brew.sh/

[2] https://github.com/pi-hole/pi-hole

[3] https://docs.chef.io/chef_install_script/#run-the-install-sc...

[4] https://rvm.io/rvm/install

discuss

saurik|2 years ago

FWIW, Homebrew (no longer) deserves quite such ire as you will note that it explicitly does NOT pipe the result to a copy of bash: by downloading it first it and quoting it using a subshell it prevents the web server from being able to get interactive access.