What is the difference between downloading and running a bash script vs. downloading and running a binary or a Docker image?
Surely, when downloading a piece of software from a (quasi?) trusted source, no developer is going to read all the lines of source code before running it. And if that's the case, how is downloading and running an .sh from the same source any different?
It's probably a bad idea to willy-nilly "docker run" something too - but in this case it's extra silly - the demo requires docker and docker-compose - so the downloading/instruction might as well have been just:
wget https://raw.githubusercontent.com/knadh/listmonk/master/docker-compose.yml
docker-compose up demo-db demo-app
And a note that demo app runs on port 9000. Even better would be a demo docker-compose.yml, so that "docker-compose up" was enough.
Now, should you run some random docker image(s)? Maybe not. But it's easier to see what's going on - maybe you spin up a vm and run docker there, isolated?
> What is the difference between downloading and running a bash script vs. downloading and running a binary or a Docker image
Docker images are slightly isolated. By default running a random one doesn't have access to your local filesystem or anything listening on your machine, unless you explicitly ask for it ( which a random docker-compose.yaml or bash script around a docker-compose.yaml and up can).
TBH, I've never downloaded a Docker image. I rely on Debian; I trust packages from the Debian repository (hell, I'm running their OS, so I already trust them).
Software from other sources: not so much. Maybe run it in a VM.
Look, I've used such commands myself - once upon a time that was the recommended way to install LetsEncrypt, I think. But I look at the script first.
Surely, when downloading a piece of software from a (quasi?) trusted source, no developer is going to read all the lines of source code before running it. And if that's the case, how is downloading and running an .sh from the same source any different?