>>MrBudd+(OP)
> curl -sSL https://install.example-cli.dev | bash # safe

This is not and has never been safe.

>>accoun+2Z3
it really irks me that this is the default way to install micromamba

https://mamba.readthedocs.io/en/latest/installation/micromam...

>>digita+VZ3
If you read the script before piping it into your shell, you're doing better than (I'm guessing) 90% of people, but it's still possible that the attacker who got you to copy https://xn--nstall-ovf.xn--example-cl-62i.dev into your terminal has also made similarly-hard-to-spot changes to the install script. E.g. if it downloads a .deb package from https://xn--nstall-ovf.xn--example-cl-62i.dev (same Cyrillic і character in there that looks like a Latin i but isn't), you might not spot that by reading the script.

But IMHO, your "unopened bottle of ketchup" analogy doesn't work. These days, the likelihood of someone trying to trick you into running arbitrary code disguised as an install script is so much higher than the chance that someone working at the ketchup bottling plant is deliberately contaminating bottles before they go out.

>>MrBudd+(OP)
I would rather check urls with the following method:

  echo -e -n "https://іnstall.example-clі.dev" | python -c 'exec("""import sys, unicodedata\nfor ch in sys.stdin.read():\n  try:\n    print (ch, " ", unicodedata.name(ch))\n  except ValueError:\n    print ("codepoint ", ord(ch))\n""")'

instead of putting my trust in the hundreds of crates in this tool's Cargo.lock not having a supply chain attack.

>>rmunn+Qha
> 2017-04-14: Blake Rand

> Links in comments were vulnerable to an IDN homograph attack.

https://news.ycombinator.com/security.html

>>digita+VZ3
> If you read the script before you pipe it into your shell, it's safe.

This isn't strictly true. It's possible to detect on the server side if curl is being piped and deliver different content: https://web.archive.org/web/20241224173203/https://www.idont...

>>Punchy+Hsa
It is literally the method given to install a number of products. The first mechanism given as a fix, of sorts, is to install something via brew.

Brew is installed by copying a command line-

https://brew.sh

I mean, I guess you could retype it, but there is no intention for anyone to do that.

>>MrBudd+(OP)
Weird that just 3 days ago https://github.com/makalin/preexec was released with almost exactly the same functionality written in Go.

>>queenk+Ahd
But as the title of the post says, browsers already solved this problem.

https://www.xudongz.com/blog/2017/idn-phishing/

It does make running commands from an untrusted website a little safer, which is nice. I imagine it's not uncommon to copy installation scripts from random StackOverflow comments or blog posts, for example. But that's still not safe even with this tool. Homograph attacks aside, how can you tell if a URL you're pasting into your terminal is the official source for something? It's trivial to create fake GitHub accounts or organizations.