“Should I pipe it?”

So, fellow developers, you know how we’re all told not to pipe installation scripts into our shells and yet we all do it anyway? I just rolled a little something that might help with that…

Here’s an example of the nvm install script, verified by yours truly:


What do you think?

Anyone with a GitHub account can help verify installation scripts (would be good to have two more for nvm).

Instructions: github.com/small-tech/should-i

Thoughts? :)

@aral I wish Debian and most popular distro would ship a CLI tool that does that kind of thing (like checking signature or whatever is deemed good enough)

There might be tools that people can install on their machine for this - or this webpage you made is pretty useful, but in the end of the day, people like curl|bash because it's a copypastable CLI one-liner that has basically zero dependencies (well, curl..)


Also to me it's never clear to me why curl|bash is so controversed in the first place ... Like what's the threat model ? Each time I see people arguing about it on the internet, it's always a confused discussion between authenticity, integrity, trust in the authors, trust in the transport protocols, and "what !? you don't read every line of code that runs on your computer !?" ... And ultimately people don't scream that much when it's about "double-clicking on obscure .exe found on google" or "apt install foobar"

I suppose curl|bash for some reason just shows how in everyday life we rely on trust when we run software and it makes us afraid that we can run random code so easily. Ultimately there are very few contexts in which there are clear information about how code is (or not) audited and peer-reviewed before we run it on our machines. Typically it's not clear for me if and how much code is audited in Debian before being available in repos...

(sry I'm thinking out loud at this stage)

@aleks @aral One article I read was where they were able to change the script that was served depending on wither it was downloaded or piped through bash. I'm not sure how they detected the difference, but they somehow could apparently. So the idea is that the code can't really be verified because when you download you get different code than when you pipe. And, of course, it's not about whether you personally verify, but rather if it's possible to verify so that maybe someone else may do it.
But yeah, I do it too, and even if people don't want to pipe through bash, it's trivial to download first and run that if they really want.

@ilja @aleks Yeah, that’s definitely possible.

Will have a think.

Adding a pipe to the pipe is the only way to really solve that.

But could also mark scripts hosted on well-known sites like GitHub and GitLab more trusted as that wouldn’t be an attack vector (unless they’ve been backdoored by government actors).

· · Web · 0 · 0 · 1
Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!