Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
networked 2 days ago

You can also use vipe from moreutils:

  curl -sSL https://example.com/install.sh | vipe | sh
This will open the output of the curl command in your editor and let you review and modify it before passing it on to the shell. If it seems shady, clear the text.

vet looks safer. (Edit: It has the diff feature and defaults to not running the script. However, it also doesn't display a new script for review by default.) The advantage of vipe is that you probably have moreutils available in your system's package repositories or already installed.

TZubiri 2 days ago | parent [-]

Huh

Why not just use the tools separately instead of bringing a third tool for this.

Curl -o script.sh

Cat script.sh

Bash script.sh

What a concept

networked 2 days ago | parent | next [-]

What it comes down to is that people want a one-liner. Telling them they shouldn't use a one-liner doesn't work. Therefore, it is better to provide a safer one-liner.

This assumes that securing `curl | sh` separately from the binaries and packages the script downloads makes sense. I think it does. Theoretically, someone can compromise your site http://example.com with the installation script https://example.com/install.sh but not your binary downloads on GitHub. Reviewing the script lets the user notice that, for example, the download is not coming from the project's GitHub organization.

bawolff 2 days ago | parent | prev | next [-]

If you are really paranoid you should use cat -v, as otherwise terminal control characters can hide the malicious part of the script.

panki27 2 days ago | parent | prev | next [-]

At this point, the whole world is just a complexity Olympiad

adolph 2 days ago | parent | prev [-]

Same but less instead of cat so my fingers stay in the keyboard.

Vet, vite, etc are kind of like kitchen single-taskers like avocado slicer-scoopers. Surely some people get great value out of them but a table-knife works just fine for me and useful in many task flows.

I'd get more value out of a cross-platform copy-paster so I'm not skip-stepping in my mind between pbpaste and xclip.

hsbauauvhabzb 2 days ago | parent [-]

Have you tried aliases?

adolph 2 days ago | parent [-]

For pbpaste/pbcopy and xclip? I've considered it and haven't decided how to do it yet given differences in how they work. Do you have one?

https://linux.die.net/man/1/xclip

https://ss64.com/mac/pbcopy.html

https://man.openbsd.org/xclipboard.1

procaryote 2 days ago | parent | next [-]

I do

    if ! which pbcopy &> /dev/null; then
        alias pbcopy="xclip -selection clipboard"
        alias pbpaste="xclip -o -selection clipboard"
    fi
The `if` bit is so it only adds the alias if there isn't a `pbcopy`, so I can use the same dotfile on mac and linux
adolph 16 hours ago | parent [-]

Thank you!

hsbauauvhabzb 2 days ago | parent | prev [-]

I’m honestly not familiar with pbcopy, but I imagine you could make a relatively consistent wrapper in python if a simple alias does not work. Are you able to give some example shell code of what you’d like to be consistent?