It is also terrible conditioning to pipe stuff to bash because it’s the equivalent of “just execute this .exe, bro”. Sure, right now it’s github, but there are other curl|bash installs that happen on other websites.
Additionally a tar allows one to install a program later with no network access to allow reproducible builds. curl|bash is not repoducible.
But…“just execute this .exe, bro” is generally the alternative to pipe-to-Bash. Have you personally compiled the majority of software running on your devices?
No, it was compiled by the team which maintains my distro’s package repository, and cryptographically verified to have come from them by my package manager. That’s a lot different than downloading some random executables I pulled from a website I’d never heard of before and immediately running them as root.
I would encourage you to read up on the issue before thinking they haven’t.
Here is the most sophisticated exploit: Detecting the use of “curl | bash” server side.
It is also terrible conditioning to pipe stuff to bash because it’s the equivalent of “just execute this
.exe, bro”. Sure, right now it’s github, but there are other curl|bash installs that happen on other websites.Additionally a tar allows one to install a program later with no network access to allow reproducible builds. curl|bash is not repoducible.
Anti Commercial-AI license
But…“just execute this
.exe, bro” is generally the alternative to pipe-to-Bash. Have you personally compiled the majority of software running on your devices?No, it was compiled by the team which maintains my distro’s package repository, and cryptographically verified to have come from them by my package manager. That’s a lot different than downloading some random executables I pulled from a website I’d never heard of before and immediately running them as root.