this post was submitted on 13 Mar 2025
280 points (96.4% liked)

Linux

6530 readers
298 users here now

A community for everything relating to the GNU/Linux operating system

Also check out:

Original icon base courtesy of [email protected] and The GIMP

founded 2 years ago
MODERATORS
 

curl https://some-url/ | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What's stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don't we have something better than "sh" for this? Something with less power to do harm?

(page 3) 50 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 5 days ago

Just use a VM or container for installing software. It can go horribly wrong in a isolated place.

[–] [email protected] 4 points 5 days ago (2 children)

I always try to avoid these, unless the application I'm installing has it's own package management functionality, like Rustup or Nix. Everything else should be handled by the system package manager.

[–] [email protected] 1 points 5 days ago* (last edited 5 days ago)

Use containers for installing things.

It is sandboxed and controllable by you

[–] [email protected] 1 points 5 days ago

Ironically, it is rustup that triggered me with this most recently... https://www.rust-lang.org/tools/install

[–] [email protected] 4 points 5 days ago
[–] [email protected] 2 points 5 days ago (1 children)

I also feel incredibly uncomfortable with this. Ultimately it comes down to if you trust the application or not. If you do then this isn't really a problem as regardless they're getting code execution on your machine. If you don't, well then don't install the application. In general I don't like installing applications that aren't from my distro's official repositories but mostly because I like knowing at least they trust it and think it's safe, as opposed to any software that isn't which is more of an unknown.

Also it's unlikely for the script to be malicious if the application is not. Further, I'm not sure a manual install really protects anyone from anything. Inexperienced users will go through great lengths and jump through some impressive hoops to try and make something work, to their own detriment sometimes. My favorite example of this is the LTT Linux challenge. apt did EVERYTHING it could think to do to alert that the steam package was broken and he probably didn't want to install it, and instead of reading the error he just blindly typed out the confirmation statement. Nothing will save a user from ruining their system if they're bound and determined to do something.

[–] [email protected] 2 points 5 days ago (1 children)

In this case apt should have failed gracefully. There is no reason for it to continue if a package is broken. If you want to force a broken package, that can be it's own argument.

[–] [email protected] 2 points 5 days ago

I'm not sure that would've made a difference. It already makes you go out of your way to force a broken package. This has been discussed in places before but the simple fact of the matter is a user that doesn't understand what they're doing will perservere. Putting up barriers is a good thing to do to protect users, spending all your time and effort to cover every edge case is a waste of time because users will find ways to shoot themselves in the foot.

[–] [email protected] 2 points 5 days ago

Just direct it into a file, read the script, and run it if you're happy. It's just a shorthand that doesn't require saving the script that will only be used once.

[–] [email protected] 2 points 5 days ago (1 children)

Most packages managers can run arbitrary code on install or upgrade or removal. You are trusting the code you choose to run on your system no matter where you get it from. Remember the old bug in ubuntu that ran a rm -rf / usr/.. instead of rm -rf /usr/... and wiped a load of peoples systems?

Flatpacks, Apparmor and snaps are better in this reguard as they are somewhat more sandboxed and can restrict what the applications have access to.

But really if the install script is from the authors of the package then it should be just as trustworthy as the package. But generally I download and read the install scripts as there is no standard they are following and I don't want them touching random system files in ways I am not aware of or cannot undo easily. Sometimes they are just detecting the OS and picking relevant packages to install - maybe with some thrid party repos. Other times they mess with your home partition and do a bunch of stuff including messing with bashrc files to add things to your PATH which I don't like. I would never run a install script that is not from the author of the application though and be very wary of install scripts from a smaller package with fewer users.

[–] [email protected] 1 points 4 days ago

No serious distro package manager doesn't require cryptographic signatures in 2025.

Software deep managers are all rubbish except for maven

[–] [email protected] 1 points 5 days ago (5 children)

Am I the only one who cringes when I have to update my system?

How do I know the maintainers of the repo haven't gone rogue and are now distributing malware?

DAE get anxious when running code on computer?

I think for the sake of security we should just use rocks, stones, and such to destroy all computers, as this would prevent malicious software from being executed.

load more comments (5 replies)
[–] [email protected] 1 points 5 days ago (1 children)

Absolutely. Wanted to try out the famous Python management tool UV last week, installation instruction is like this:

curl -LsSf https://astral.sh/uv/install.sh | sh

Yeah, no thank you.

[–] [email protected] 1 points 5 days ago* (last edited 5 days ago)

Is available via pip? You could use venv

[–] [email protected] -1 points 4 days ago

I don't cringe. Just instinctively Ctrl+W

load more comments
view more: ‹ prev next ›