Linux

I always try to avoid these, unless the application I'm installing has it's own package management functionality, like Rustup or Nix. Everything else should be handled by the system package manager.

https://sysdig.com/blog/friends-dont-let-friends-curl-bash/
https://www.seancassidy.me/dont-pipe-to-your-shell.html
https://web.archive.org/web/20200131173255/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
https://github.com/Iossefy/curl-shell-pipe

Can you not just run the curl or wget without piping it into bash, first? This way you could inspect what the script wants to do.

You have the option of piping it into a file instead, inspecting that file for yourself and then running it, or running it in some sandboxed environment. Ultimately though, if you are downloading software over the internet you have to place a certain amount of trust in the person your downloading the software from. Even if you're absolutely sure that the download script doesn't wipe your home directory, you're going to have to run the program at some point and it could just as easily wipe your home directory at that point instead.

It's convenience over security, something that creeps in anywhere there is popularity. For those who just want x or y to work without needing to spend their day in the terminal - they're great.

You'd expect these kinds of script to be well tested against their targets and for the user to have/identify the correct target. Their sources should at least point out the security issue and advise to grab and inspect before straight up piping it though. Some I have seen do this.

Running them like this means you put 100% trust in the author, the source and your DNS. Not a big ask for some. Unthinkable for others.

To answer the question, no - you’re not the only one. People have written and talked about this extensively.

Personally, I think there’s a lot more nuance to the answer. Also a lot has been written about this.

You mention “communities that are security conscious”. I’m not sure in which ways you feel this practice to be less secure than alternatives. I tend to be pretty security conscious, to the point of sometimes being annoying to my team mates. I still use this installation method a lot where it makes sense, without too much worry. I also skip it other times.

Without knowing a bit more about your specific worries and for what kinds of threat you feel this technique is bad, it’s difficult to respond specifically.

Feel is fine, and if you’re uncomfortable with something, the answer is generally to either avoid it (by reading the script and executing the relevant commands yourself, or by skipping using this software altogether, for instance), or to understand why you’re uncomfortable and rationally assess whether that feeling is based on reality or imagination - or to which degree of each.

As usual, the real answer is - it depends.

Most packages managers can run arbitrary code on install or upgrade or removal. You are trusting the code you choose to run on your system no matter where you get it from. Remember the old bug in ubuntu that ran a rm -rf / usr/.. instead of rm -rf /usr/... and wiped a load of peoples systems?

Flatpacks, Apparmor and snaps are better in this reguard as they are somewhat more sandboxed and can restrict what the applications have access to.

But really if the install script is from the authors of the package then it should be just as trustworthy as the package. But generally I download and read the install scripts as there is no standard they are following and I don't want them touching random system files in ways I am not aware of or cannot undo easily. Sometimes they are just detecting the OS and picking relevant packages to install - maybe with some thrid party repos. Other times they mess with your home partition and do a bunch of stuff including messing with bashrc files to add things to your PATH which I don't like. I would never run a install script that is not from the author of the application though and be very wary of install scripts from a smaller package with fewer users.

No

This is simpler than the download, ./configure, make, make install steps we had some decades ago, but not all that different in that you wind up with arbitrary, unmanaged stuff.

Preferably use the distro native packages, or else their build system if it's easily available (e.g. AUR in Arch)

Well yeah ... the native package manager. Has the bonus of the installed files being tracked.

@cschreib
No.