zlacker

It's about as safe as trusting all the add-ons in your IDE, and all the packages your node app pulls from random package repos.

It's just the plausible blame that shifts.

If you read the script before you pipe it into your shell, it's safe.

And if that's not safe, then it's just as dangerous to trust that an unopened bottle of ketchup is safe.

Nothing is safe. Everything is a judgement. Being culpable is a professional service. Lucky people out-earn unlucky people. The world is a scary place.

replies(7): >>xg15+p1 >>polite+Fb6 >>anthk+th6 >>rmunn+Ph6 >>zzo38c+Si6 >>Punchy+Rs6 >>moebro+pt6

>>digita+(OP)
This is why we have linux distributions with maintainers who can take at least a basic look at the software, vet dependencies and run it through a test suite. And they only have to do that once for each new version and not again and again for each download.

>>digita+(OP)
No, not really. This reads like ornate hand waving to distract from different threat models and situations.

A lot of safety is down to accountability. A distribution through an attributable marketplace or being verifiably signed.

Safety isn't a performative action, so reading a script may still confuse you or you may miss subtleties. But opting for a safer install mechanism makes a huge difference, which is we always ought to prefer apt, dnf, over the likes of curlbash, brew, npm.

replies(2): >>mayhem+we7 >>queenk+ui9

>>digita+(OP)
Linux distributions contain a curated set of packages. And, if any, distros like Guix can import NPM crap and at least place it under an isolated container for work so the rest it's unharmed.

replies(1): >>Punchy+Zs6

>>digita+(OP)
If you read the script before piping it into your shell, you're doing better than (I'm guessing) 90% of people, but it's still possible that the attacker who got you to copy https://xn--nstall-ovf.xn--example-cl-62i.dev into your terminal has also made similarly-hard-to-spot changes to the install script. E.g. if it downloads a .deb package from https://xn--nstall-ovf.xn--example-cl-62i.dev (same Cyrillic і character in there that looks like a Latin i but isn't), you might not spot that by reading the script.

But IMHO, your "unopened bottle of ketchup" analogy doesn't work. These days, the likelihood of someone trying to trick you into running arbitrary code disguised as an install script is so much higher than the chance that someone working at the ketchup bottling plant is deliberately contaminating bottles before they go out.

replies(1): >>rmunn+Vh6

>>rmunn+Ph6
Hah. Hacker News is immune to homograph attacks. Good to know.

replies(1): >>maxbon+mr6

>>digita+(OP)
> If you read the script before you pipe it into your shell, it's safe.

If you download it first before executing it (instead of downloading it a second time when executing it), then that mitigates one problem, but still not all of them (like you mention). Other mitigations are also possible, such as hashing, certificate pinning, sandboxing, etc.

replies(1): >>Epa095+wn6

>>zzo38c+Si6
This is a good point. Made me think about how I will usually read if first, but in the browser. And it's easy for the server to check the user agent, and serve me a different version in the browser!

replies(1): >>kreetx+vL6

>>rmunn+Vh6
> 2017-04-14: Blake Rand

> Links in comments were vulnerable to an IDN homograph attack.

https://news.ycombinator.com/security.html

>>digita+(OP)
> It's about as safe as trusting all the add-ons in your IDE, and all the packages your node app pulls from random package repos.

Absolutely incorrect. You can do far easier due dilligence for IDE plugins

replies(1): >>mayhem+2g7

>>anthk+th6
also you're getting at least some of crowd safety in it. If you're using Debian Testing or a rolling distro your package was probably tested by a bunch of people already.

If you're using stable/LTS branch, there were far more eyes on it too

And packages are signed, can't just hijack web domain to inject code

>>digita+(OP)
> If you read the script before you pipe it into your shell, it's safe.

This isn't strictly true. It's possible to detect on the server side if curl is being piped and deliver different content: https://web.archive.org/web/20241224173203/https://www.idont...

>>Epa095+wn6
Yup. The script that you execute should literally be the one that you read. (I.e, no downloading twice)

>>polite+Fb6
I'm Not sure that I agree that it is automatically safer to prefer apt or dnf, and I'm definitely sure that it is not safer to prefer npm.

Safety is about managing risk. One element of managing risk is evaluating trust. I'm thinking that there are much fewer people I have to trust by copying the curl | bash install method from homebrew's secure website.

But at any rate, I completely agree that piping a curl'd script directly to the shell should be considered unsafe, even if it's from a trusted source. It's quite easy to do additional checks to reduce your risk significantly for this type of attack. You could read the contents of your clipboard with a hex editor and check for non-ascii characters. But wait? How do I install the hex editor? Don't I need a hex editor to check the install method of the hex editor? AAAAH! It's turtles all the way down!!!!

>>Punchy+Rs6
Can you elaborate? How do you like to evaluate your IDE plugins?

>>polite+Fb6
It's nice until you need something that isn't in the distro repo. Personally i prefer a script i can easily inspect over a .deb that will also run it's own scripts (as root!) that it takes me much more effort to inspect.

I guess yeah, you are right, distro repos are safest, but there's lots of times where they aren't sufficient.