| ▲ | TZubiri 2 days ago | ||||||||||||||||||||||||||||||||||||||||
Huh Why not just use the tools separately instead of bringing a third tool for this. Curl -o script.sh Cat script.sh Bash script.sh What a concept | |||||||||||||||||||||||||||||||||||||||||
| ▲ | networked 2 days ago | parent | next [-] | ||||||||||||||||||||||||||||||||||||||||
What it comes down to is that people want a one-liner. Telling them they shouldn't use a one-liner doesn't work. Therefore, it is better to provide a safer one-liner. This assumes that securing `curl | sh` separately from the binaries and packages the script downloads makes sense. I think it does. Theoretically, someone can compromise your site http://example.com with the installation script https://example.com/install.sh but not your binary downloads on GitHub. Reviewing the script lets the user notice that, for example, the download is not coming from the project's GitHub organization. | |||||||||||||||||||||||||||||||||||||||||
| ▲ | bawolff 2 days ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||||||||
If you are really paranoid you should use cat -v, as otherwise terminal control characters can hide the malicious part of the script. | |||||||||||||||||||||||||||||||||||||||||
| ▲ | panki27 2 days ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||||||||
At this point, the whole world is just a complexity Olympiad | |||||||||||||||||||||||||||||||||||||||||
| ▲ | adolph 2 days ago | parent | prev [-] | ||||||||||||||||||||||||||||||||||||||||
Same but less instead of cat so my fingers stay in the keyboard. Vet, vite, etc are kind of like kitchen single-taskers like avocado slicer-scoopers. Surely some people get great value out of them but a table-knife works just fine for me and useful in many task flows. I'd get more value out of a cross-platform copy-paster so I'm not skip-stepping in my mind between pbpaste and xclip. | |||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||