“Should I pipe it?”
So, fellow developers, you know how we’re all told not to pipe installation scripts into our shells and yet we all do it anyway? I just rolled a little something that might help with that…
Here’s an example of the nvm install script, verified by yours truly:
What do you think?
Anyone with a GitHub account can help verify installation scripts (would be good to have two more for nvm).
@jookia It doesn’t cache the script but there is of course the possibility that the site could serve one thing to Should I pipe it? and something else to everyone else. Will have a think about that.
The only way to fully mitigate any attack would be to have Should I pipe it? included in the pipe itself but I’m hesitant to include a centralised single point of failure into install scripts. It would make that site the focus of attacks. This is meant as guidance / better than nothing / awareness.
@aral Having people just check hashes would be a start.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!