Have you ever found a GitHub project or anything that seemed nice and tempting to install until you dug a bit deeper?
What are some red flags that should detur anyone from installing and running something?
Have you ever found a GitHub project or anything that seemed nice and tempting to install until you dug a bit deeper?
What are some red flags that should detur anyone from installing and running something?
Eh, I’d be more sympathetic if there weren’t a dozen different alternatives to making this exclusively how people install your software.
It’s a virus delivery system waiting to happen. Especially now when you have AI that can help you stand up an imposter site quickly and easily.
If it’s not open source or you are not compiling it:
Why so much fear about the shell script but no fear from the executable?
If it’s open source and you are compiling it:
If you don’t fear the project because you (presumably) have read the source code and determined that it’s fine, why fear a shell script that is most certainly simpler, and you can read it like the rest of the code?
Huh? Fear from both.
If you fear both, and
curl | shis a red flag. Binary blob is also a red flag, if you fear them both equally.Has every software that runs in your computer been compiled by you?
No, but much of it comes from software repositories, which is exactly the point.
it’s not the impact to the user having dozens of choices.
it’s the impact to the developer to having to maintain the packages for dozens of package repo admins that have each their own special requirements for packages that have to be followed. it’s a huge pita that most companies don’t even bother with and just run their own package repo.
IMO the user isn’t blameless when using an install script. anyone who just blindly runs arbitrary code without reading it is a fool asking to be attacked.
Exactly, it’s a shift in responsibilities from the developers of a thing to the users of that thing.
As a grunt at work and a mid-tier “money haver” at best, I’m tired of having everything shift its costs onto me and it’s a red flag that prevents me from installing and running a software package.
Everything around nowadays does this shift if they can get away with it.
I have to set limits on what I tolerate to achieve what gain or the world will leave me dead with a giant tire mark across my chest.
as a foss dev, your problems aren’t my problems.
As a sporadic foss contributor and foss advocate, I ain’t even installing your shit if the only install option is curl pipe to shell.
And I also do think it’s a red flag exactly like the original poster was looking for.
if you’re dumb enough to pipe curl to bash you deserve everything you get.
rtfs
I hate Windows partially because you have to download a bunch of random executables. Making that same security hole into a one liner in bash and making that the only install supported is not an improvement in any way.