> curl is mature enough that the chance of an impactful bug is basically zero

Curl is also something that should be thoroughly sandboxed to begin with, because even if there are no vulnerabilities in curl itself, its a tool for downloading arbitrary data over the internet, and you may well accidentally trigger vulnerabilities in every other part of your environment just by downloading arbitrary data to your shell...

▲

inigyou 6 hours ago | parent [-]

curl is the sandbox. It exchanges packets with the internet and then outputs a safely sanitized byte stream.

▲

swiftcoder 5 hours ago | parent [-]

curl is only the sandbox if you don't then do anything with the byte stream.

Pipe it to bash? game over

Pipe it to less/more? Better hope your distro keeps those patched

Open the file in a browser or PDF reader? Hey, look at all this shiny new attack surface!

	▲	inigyou 3 hours ago \| parent \| next [-]
		Well yeah, that's true for any sandbox. If you pipe stuff outside of the sandbox, outside of any sandbox, and run it there, then you're not running it in a sandbox.
	▲	layer8 4 hours ago \| parent \| prev [-]
		How do you set up the sandbox without having downloaded anything from the internet? I guess there’s still places where you can buy Linux CDs.