curl https://some-url/ | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

  • trashgirlfriend@lemmy.world
    link
    fedilink
    arrow-up
    6
    arrow-down
    6
    ·
    1 day ago

    Am I the only one who cringes when I have to update my system?

    How do I know the maintainers of the repo haven’t gone rogue and are now distributing malware?

    DAE get anxious when running code on computer?

    I think for the sake of security we should just use rocks, stones, and such to destroy all computers, as this would prevent malicious software from being executed.

    • thomask@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      3
      ·
      20 hours ago

      I realise you’re trolling but actually yes. This is why I use Debian stable where possible - if egregious malware shows up it will probably be discovered by all the folks using rolling distros first.

    • rah@feddit.uk
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 day ago

      How do I know the maintainers of the repo haven’t gone rogue and are now distributing malware?

      Depends on the repo but at least for Debian, there’s a path of trust between GPG keys I’ve signed and the Debian release GPG keys.

      • trashgirlfriend@lemmy.world
        link
        fedilink
        arrow-up
        4
        arrow-down
        3
        ·
        1 day ago

        How do you know that the malware goblin hasn’t installed malware on your computer when you weren’t looking?

        I think the only foolproof plan is using boulders, stones, and perhaps other blunt objects to deal with the issue of code executing altogether.