zlacker

[return to "Detecting the use of "curl | bash" server-side"]
1. curlpy+84[view] [source] 2018-07-29 03:02:48
>>rubyn0+(OP)
Half the problem with `curl | bash` installation is not related to whether or not you trust what your downloading...

The more important reason why it is a _horrible_ _stupid_ mechanism for software installation is that it is not _repeatable_.

It is well understood that casual .deb .rpm usage requires an equivalent level of trust as downloading anything else off the internet... but they have the added advantage of being _consistent_ _repeatable_ and _mirrorable_... I can copy the entire repository of any version of debian I want to my local file server, and use that to spin up however much infrastructure I want. And the only person I need to rely on after I have fetched the initial packages is myself.

◧◩
2. kccqzy+q4[view] [source] 2018-07-29 03:09:51
>>curlpy+84
Plenty of those scripts simply detect your operating system and then interact with the system package manager (adding a new repository, updating the package index, then asking the package manager to install it).
[go to top]