A Security PSA

Who would do this? Even worse is when they ask you to put sudo in front of it.

You can make the case, I guess, that it's really no worse than downloading and running an installer but this method is just asking for trouble. At least with an installer you can usually check a signature.

This entry was posted in General and tagged . Bookmark the permalink.
  • NoonianAtall

    I regularly see new projects on GitHub, mentioned on some news aggregator getting lots of attention, whose primary, recommended method of installation is pipe-curl-to-shell. Once in a while I file a bug on their tracker pointing to common examples of how it makes you severely vulnerable. Usually the response is not positive. One time they were receptive, but they asked me to explain basic security concepts, and could barely comprehend the problem, never actually doing anything about it. Even something as simple as signed git tags seems beyond some of these...programmers? It doesn't seem to bode well for the future of software.