snork.ca: Here's Tom with the weather... Partly Cloudy, 11.9°C - Precip 18 hrs

List Of Apps That Suggest Redirecting curl To Your Shell To Install 2020-06-16


In the world of Linux [and similar OSs] there is the issue of package management, or as some folks would call it, application installation. In the Windows world an application developer would compile their program in to an executable file and distribute it. They might have to "package it" with an installer application or provide both 32bit and 64bit versions, but otherwise it is fairly well defined. In the Linux world a developer may have to create an RPM package for RedHat based systems, a DEB package for Debian based distros, an AUR package for Arch, and well... you see where this is headed. Some developers figure that rather than keep making piles of distibution packages every time they release a new version of their software they should just provide a single generic way to install. This is easier for them, but produces systems that have software which doesn't fall in to the local application management strategy. What's worse is that some developers choose to simply maintain a script that "does everything" for the user and tell users to install it like this:

$ curl http://somecrap.com/script.sh | bash

This is a somewhat simplified example but the idea is to use curl to download a script and then take the contents of that script and run it. There are various arguments over whether this is a bad idea or not, and plenty of people have no doubt that it is entirely safe, and provide a plethora of excuses to legitimize the practice. This post is not for those people. You may close this tab now. Some folks figure it is begging for trouble, even if it hasn't bitten 100% of smartasses yet. At a bare minimum I think it encourages users to blindly run things without thinking about it first at all... which basically undoes the exact thing that supposedly makes Linux more secure than Windows. So, on with the list.

application notes
Bitwarden Server If you don't want to trust your passwords to the folks at Bitwarden you can always run your own server from their source at Github. Too bad their install options include (1) Windows with .NET and SQL server (2) Docker or (3) a Linux install script they don't even suggest reading. It isn't quite piping to your shell but it is here because they clearly don't want you to read the script first.
Citadel/UX This is an email client that over the years has also sort of grown in to a groupware type application. It grew out of the old Citadel BBS software. Sadly, their install instructions say that you should curl http://easyinstall.citadel.org/install | bash.
Joplin If you are looking for a way to selfhost your calendar, notes, and todo list you may come across Joplin. I was happy to see that they have a 32 bit build for Windows and even portable versions, but the install instructions for Linux say you should wget -O - https://raw.githubusercontent.com/laurent22/joplin/dev/Joplin_install_and_update.sh | bash.
KeeWeb That's right, another password manager... you know, for people who are concerned about security. The install instructions say you should curl https://raw.githubusercontent.com/keeweb/keeweb/develop/dev-env.sh | bash -. Classy.
Mail-in-a-Box I was chatting with someone tonight about mail servers and this one came up up in the conversation. I use a Windows based application as my mail server because *ix based solutions seem to all involve some patchwork of applications pasted together with peanut butter. How there is no *ix application that provides SMTP, IMAP, and POP services I don't know. It's not like they are unrelated services eh? Anyways, the setup guide says you should curl -s https://mailinabox.email/setup.sh | sudo -E bash.
Nextcloud This one almost shouldn't be here. Their install page has two steps... (1) download script and (2) run it like this: sudo bash nextcloud_install_production.sh. I'd really like to see a step in the middle that says (1b) seriously, just have a look at the script first, even if you might have to ask someone what it means.
NixOS Funny, our first entry is an actual package manager of sorts. The page here shows that the install should be done with $ sh <(curl https://nixos.org/nix/install) which is not exactly piping curl to your shell but is actually a backwards way of doing it. Sneaky fishy.
Psono What is it with password managers? This one says to bash <(curl -s https://gitlab.com/psono/psono-quickstart/raw/master/install.sh). Seriously, password managers? Seriously?
Technitium DNS Server Want to run your own DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) server? Well these guys will tell you to curl -sSL https://download.technitium.com/dns/install.sh | sudo bash - I mean, as long as you are concerned enough about security to run your own DNS server you may as well run their script without looking at it. Just in case anyone didn't know, the lower case s in that command is for "silent mode" and the upper case L is to blindly follow redirects. Extra secure eh? * Thanks to aeternum for pointing this one out to me.

theshat Hmmm...

I should add that the same kind of logic applies to non-Linux operating systems such as BSD's. I just use the term Linux in place of mentioning every exception that people might wish to throw at me. Additionally, I am not suggesting that anyone not use these applications (though that IS an option), but rather that downloading the script, looking at it, and then running it might be a more responsible computing habit.

Made with Notepad++ and FastStone, hosted on Devuan with nginx, without javascript, google bullshit, CDN crap, or cookies, and powered by NK shrooms.