Linux

I usually read it first.

Just use a VM or container for installing software. It can go horribly wrong in a isolated place.

I also feel incredibly uncomfortable with this. Ultimately it comes down to if you trust the application or not. If you do then this isn't really a problem as regardless they're getting code execution on your machine. If you don't, well then don't install the application. In general I don't like installing applications that aren't from my distro's official repositories but mostly because I like knowing at least they trust it and think it's safe, as opposed to any software that isn't which is more of an unknown.

Also it's unlikely for the script to be malicious if the application is not. Further, I'm not sure a manual install really protects anyone from anything. Inexperienced users will go through great lengths and jump through some impressive hoops to try and make something work, to their own detriment sometimes. My favorite example of this is the LTT Linux challenge. apt did EVERYTHING it could think to do to alert that the steam package was broken and he probably didn't want to install it, and instead of reading the error he just blindly typed out the confirmation statement. Nothing will save a user from ruining their system if they're bound and determined to do something.

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written.

So you are concerned with security, but you understand that there aren't actually any security concerns... and actually you're worried about coding mistakes in shitty Bash?

I think safer approach is to:

1. Download the script first, review its contents, and then execute.
2. Ensure the URL uses HTTPS to reduce the risk of man-in-the-middle attacks

Unpopular opinion, these are handy for quickly installing in a new vm or container (usually throwaway) where one don't have to think much unless the script breaks. People don't install thing on host or production multiple times, so anything installed there is usually vetted and most of the times from trusted sources like distro repos.

For normal threat model, it is not much different from downloading compiled binary from somewhere other than well trusted repos. Windows software ecosystem is famously infamous for exactly the same but it sticks around still.

Just direct it into a file, read the script, and run it if you're happy. It's just a shorthand that doesn't require saving the script that will only be used once.

I usually just take a look at the code with a get request. Then if it looks good, then run manually. Most of the time, it's fine. Sometimes there's something that would break something on the system.

I haven't seen anything explicitly nefarious, but it's better to be safe than sorry.

curl | sudo bash Gang

You shouldn't install software from someone you don't trust anyway because even if the installation process is save, the software itself can do whatever it has permission to.

"So if you trust their software, why not their install script?" you might ask. Well, it is detectable on server side, if you download the script or pipe it into a shell. So even if the vendor it trustworthy, there could be a malicious middle man, that gives you the original and harmless script, when you download it, and serves you a malicious one when you pipe it into your shell.

And I think this is not obvious and very scary.

It's not much different from downloading and compiling source code, in terms of risk. A typo in the code could easily wipe home or something like that.

Obviously the package manager repo for your distro is the best option because there's another layer of checking (in theory), but very often things aren't in the repos.

The solution really is just backups and snapshots, there are a million ways to lose files or corrupt them.

Those just don't get installed. I refuse to install stuff that way. It's to reminiscent of installing stuff on windows. "Pssst, hey bud, want to run this totally safe executable on your PC? It won't do anything bad. Pinky promise". Ain't happening.

The only exception I make is for nix on non-nixos machines because thwt bootstraps everything and I've read that script a few times.

Anti Commercial-AI license

How is that safe?

It's not, it's a sign that the authors don't take security seriously.

If you use this

I never do.

Am I the only one who cringes when I have to update my system?

How do I know the maintainers of the repo haven't gone rogue and are now distributing malware?

DAE get anxious when running code on computer?

I think for the sake of security we should just use rocks, stones, and such to destroy all computers, as this would prevent malicious software from being executed.

What's stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

You're not wrong, but there's an element of trust in anything like this and it's all about your comfort level. How can you truly trust any code you didn't write and complie yourself. Actually, how do you trust the compiler.

And let's be honest, even if you trust my code implicitly (Hey, I'm a bofh, what could go wrong?) then that simply means that you're trusting me not to do anything malicious to your system.

Even if your trust is well-placed in that regard, I don't need to be malicious to wipe your system or introduce a configuation error that makes you vulnerable to others, it's perfectly possible to do all that by just being incompetent. Or even being a normally competent person who was just having a bad day while writing the script you're running now. Ooops.

Absolutely. Wanted to try out the famous Python management tool UV last week, installation instruction is like this:

curl -LsSf https://astral.sh/uv/install.sh | sh

Yeah, no thank you.