top | item 45182776

(no title)

dansmith1919 | 5 months ago

I assume OP's point is "you're running a random script directly into your shell!!"

You're about to install and run their software. If they wanted to do something malicious, they wouldn't hide it in their plaintext install script.

discuss

tomsmeding|5 months ago

It is sometimes possible to detect server-side whether the script is being run immediately with `| sh` or not. The reason is that `sh` only reads from its input as far as it got in the script, so it takes longer to get to the end than if you'd curl show the result in the terminal directly (or pipe it to a file).

A server can use this to maliciously give you malware only if you're not looking at the code.

Though your point about trust is valid.

kevinrineer|5 months ago

`curl URL | sudo sh` doesn't have a means of verification of what the contents of the URL points to.

Sure a binary can be swapped in other places, but they generally can be verified with hashes and signatures. Also, a plaintext install script often has this problem in another layer of recursion (where the script usually pulls from URLs that the runner of the script cannot verify with this method)