List Of Apps That Suggest Redirecting curl To Your Shell To Install 2020-06-16
In the world of Linux [and similar OSs] there is the issue of package management, or as some folks would call it, application installation. In the Windows world an application developer would compile their program in to an executable file and distribute it. They might have to "package it" with an installer application or provide both 32bit and 64bit versions, but otherwise it is fairly well defined. In the Linux world a developer may have to create an RPM package for RedHat based systems, a DEB package for Debian based distros, an AUR package for Arch, and well... you see where this is headed. Some developers figure that rather than keep making piles of distibution packages every time they release a new version of their software they should just provide a single generic way to install. This is easier for them, but produces systems that have software which doesn't fall in to the local application management strategy. What's worse is that some developers choose to simply maintain a script that "does everything" for the user and tell users to install it like this:
$ curl http://somecrap.com/script.sh | bash
This is a somewhat simplified example but the idea is to use curl to download a script and then take the contents of that script and run it. There are various arguments over whether this is a bad idea or not, and plenty of people have no doubt that it is entirely safe, and provide a plethora of excuses to legitimize the practice. This post is not for those people. You may close this tab now. Some folks figure it is begging for trouble, even if it hasn't bitten 100% of smartasses yet. At a bare minimum I think it encourages users to blindly run things without thinking about it first at all... which basically undoes the exact thing that supposedly makes Linux more secure than Windows. So, on with the list.
|Nextcloud||This one almost shouldn't be here. Their install page has two steps... (1) download script and (2) run it like this: sudo bash nextcloud_install_production.sh. I'd really like to see a step in the middle that says (1b) seriously, just have a look at the script first, even if you might have to ask someone what it means.|
|NixOS||Funny, our first entry is an actual package manager of sorts. The page here shows that the install should be done with $ sh <(curl https://nixos.org/nix/install) which is not exactly piping curl to your shell but is actually a backwards way of doing it. Sneaky fishy.|
I should add that the same kind of logic applies to non-Linux operating systems such as BSD's. I just use the term Linux in place of mentioning every exception that people might wish to throw at me. Additionally, I am not suggesting that anyone not use these applications (though that IS an option), but rather that downloading the script, looking at it, and then running it might be a more responsible computing habit.