💾 Archived View for idiomdrottning.org › no-curl-bash captured on 2024-03-21 at 16:20:18. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-12-28)
-=-=-=-=-=-=-
OK, this whole curl -fsSL my.self.hosted.rando.dangerous.url.xyz |
bash way to distribute compiled binaries that the Rust and Golang communities are doing is not OK. Sober up and don’t curl rando stuff into your shell and don’t run rando binaries either. You didn’t build that!
Debian signs their compiled packages for a reason.
Seeing this practice being so widespread has the knock-on-effect (yeah, it’s not technically related) of making me hesitant to even do cargo install blablabla when any schmoe can do cargo publish and tell you to go cargo install. It’s better than the curl into bash borkery because if they do publish malware to crates.io, it can be vetted later. When times comes to do a biopsy of your system.
They can publish a new version that messes up your stuff at a moments notice but at least there will be a record of them doing that. So you can look down on your dead machine from heaven and see “oh, so that’s when it all went wrong.”
Unlike the curl something something | bash which… don’t do. And stop asking people to do that. You are creating bad habits.
Alex Birsan puts this to practice.