Hacker News new | past | comments | ask | show | jobs | submit login

I feel like installing a security tool by curling a random script off the internet and piping it into `/bin/bash` is a bit contradictory. Surely there's a better way to install this?



If you're smart enough to realize that there might be something to worry about, you should be smart enough to be able to figure out how to divide the command into three parts instead of one (download the script, inspect the contents and then run the same inspected [local] script).

Every time a project with curl | sh is featured on HN this comes up. At this point we might as well write a bot that scrapes submitted pages for "curl * | * (sh|bash)" and leave this comment for all of them.


> If you're smart enough to realize that there might be something to worry about, you should be smart enough to be able to figure out how to

This is gatekeeping 101. Some people are just starting out in security/software engineering and things like this might not be obvious to them. It's good that you have suggested what to do but there are different ways to "suggest" things.


> This is gatekeeping 101

What? How?

> Some people are just starting out in security/software engineering and things like this might not be obvious to them

That's fair enough. But I wished these beginners then didn't make claims like "security tools cannot be installed like this, it's insecure", and we would all be better off.

Either you know what you're talking about and you share your knowledge. Or, you listen and ask questions in order to eventually know what you're talking about.


>> This is gatekeeping 101

> What? How? In many hobby communities, whenever new people ask questions, which are obvious to the more experienced people, some more experienced people become hostile/use more hostile language/say things like "you should know this wtf" etc. A fairly recent example I saw on Reddit of what I mean https://www.reddit.com/r/AdeptusMechanicus/comments/h7s5gw/g...

> That's fair enough. But I wished these beginners then didn't make claims like "security tools cannot be installed like this, it's insecure", and we would all be better off.

I understand where you are coming from but this is an eternal struggle with any profession.

> Either you know what you're talking about and you share your knowledge. Or, you listen and ask questions in order to eventually know what you're talking about.

Yes and no, this is Dunning-Kruger effect quite often https://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect https://imgur.com/r/psychology/jbo2gy5


So ‘curl; cat; bash’ and not ‘curl | sh’ because the server can detect the pace/existence of the pipe and sneak in some unsafe commands.


It’s written in Go so it’s a bit shady to have an install script. This is how instructions should look like for a Go application: https://docs.gitea.io/en-us/install-from-binary/


Well, this is for users who do not want to work hard:) If you wish, you can clone the project and build, other option- you can download the file from the release url. It should be pretty simple to understand from the install.sh script. Good luck :)


Nobody needs install scripts that you can’t remove anymore. What happened to deb or rpm packages?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: