💾 Archived View for idiomdrottning.org › no-curl-bash captured on 2022-01-08 at 13:46:17. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

➡️ Next capture (2023-12-28)

🚧 View Differences

-=-=-=-=-=-=-

Curling up inside my private bash pipes

OK, this whole curl -fsSL my.self.hosted.rando.dangerous.url.xyz |

bash way to distribute compiled binaries that the Rust and Golang communities are doing is not OK. Sober up and don’t curl rando stuff into your shell and don’t run rando binaries either. You didn’t build that!

Debian signs their compiled packages for a reason.

Seeing this practice being so widespread has the knock-on-effect (yeah, it’s not technically related) of making me hesitant to even do cargo install blablabla when any schmoe can do cargo publish and tell you to go cargo install. It’s better than the curl into bash borkery because if they do publish malware to crates.io, it can be vetted later. When times comes to do a biopsy of your system.

They can publish a new version that messes up your stuff at a moments notice but at least there will be a record of them doing that. So you can look down on your dead machine from heaven and see “oh, so that’s when it all went wrong.”

Unlike the curl something something | bash which… don’t do. And stop asking people to do that. You are creating bad habits.

Update

Alex Birsan puts this to practice.

Update, 15 months later

A Unix filter to verify md5sums is a pretty awesome idea.