I agree, it may be cliche, but I think the exact same thing whenever I see this kind of practice, too. Or that the developer that has never had to manage a live system with users that know his phone number and his boss's phone number.
"Oh, this is just for a test mock up. Nobody is supposed to actually use this to install it for real."
Well, to experienced people it makes you look moderately stupid, and to inexperienced people it looks like an elegant solution. It's actively hostile to secure system planning.
It reminds me of the NPM left-pad debacle[0] and some of the criticism[1] that came up from that.
I’ve given up waiting for nodejs to become a reliable environment. Just recently the `is-even` package came to light and highlighted that things aren’t getting any better than when leftpad was a thing.
I can’t wait to see tc39’s response to the `is-even` shit show after they decided to just add leftpad to the stdlib.
The “best” part of it all is that apparently js engines have an internal optimisation for `foo % 2 === 0`, because it’s such a common thing.
This clown was using a bit wise operation in `is-even` “because everyone already knows about % 2 === 0`, and thus was hurting performance (on top of whatever extra memory is used for the module, function call overhead etc)
Just pasting commands alone into a terminal is pretty insecure now too. Their are proof-of-concepts that show some control characters and other invisible characters will make it to the clipboard and even someone pasting into a text editor won't see them.
Between that and delivering different responses to curl|sh vs a browser or regular curl [1] you’d think this kind of bullshittery would be abandoned, but no.
This will sound clichéd but I blame the rise of “poor mans devops” whereby management fires all the ops, and lets developers manage infrastructure.