To curl|bash or not to curl|bash
Tags: software, security.
By lucb1e on 2016-05-08 16:23:58 +0100
People have a lot to say about how terrible piping from curl to bash is. These are the reasons people give:
1. It executes arbitrary code on your system!
I'm sure these people never ran a .exe file in their life.
2. The download could cut off mid-file and turn "rm /opt/something" into "rm /opt"!
Valid point! This is why we commonly wrap the installer as a big function, and call it in the end. If you care, you can even inspect the source to see if it does this, and if the software is on Github or something (curl|bash-using software usually is) or has nice developers, you can just let them know or send a pull request.
3. The code is not signed! If it was from the repositories, it would be signed.
If it's in the repositories, why are you piping to bash anyway? Besides, you can totally GPG sign the installer, but how do you then make sure everyone gets the right public key (which people use to verify the signature)? You need to publish it somewhere, in which case you might as well publish the hash sum instead. More people will know how to run sha1sum than gpg.
But what I think is the real reason people care about this, is that we can suddenly see the code. Because we *can*, we care. We suddenly get a lot more control and thus we want to use it, then we notice issues, and we start discussing it. This is a good thing, by the way!
For example, I never really thought twice about installing a .deb file (a Debian package) if the software itself looks trustworthy enough (people talking about it, big enough company, etc.). On the other hand, I notice that when people tell me to run curl|bash, I will open that curl url in my browser (or in vim for syntax highlighting) and inspect the source.
Because I easily can, I suddenly care. That's why I think this big discussion arises every time someone posts about curl|bash, and not whenever someone posts a .exe/.deb/.apk/.dmg download.
This post was inspired by this HN discussion