I think they mean using curl to grab something and piping the output to bash so it it executed locally.
And it is pretty common. Things like ohmyzsh use it. I find it scary because you’re running things direct from the web without any package signature architecture. I would trust the omz people but what if their GitHub was compromised? But don’t check any of the source? No. I don’t anyway, but with a bit of fear :/
Even if you check, you should download with curl and check the downloaded file, then run that, as a malicious server could present a normal download to browsers based on user agent and other fingerprinting data, while presenting a malicious script to curl
Wish people would stop suggesting the pipe to bash scripts as an install method but the simplicity of being able to tell all Linux and Mac users to just paste a string into their terminal to install and letting the script deal with any differences between systems is probably why we keep seeing it for major projects, rather than a long list of instructions for different distros
I don’t think that’s how that works.
I think they mean using curl to grab something and piping the output to bash so it it executed locally.
And it is pretty common. Things like ohmyzsh use it. I find it scary because you’re running things direct from the web without any package signature architecture. I would trust the omz people but what if their GitHub was compromised? But don’t check any of the source? No. I don’t anyway, but with a bit of fear :/
Even if you check, you should download with curl and check the downloaded file, then run that, as a malicious server could present a normal download to browsers based on user agent and other fingerprinting data, while presenting a malicious script to curl
Wish people would stop suggesting the pipe to bash scripts as an install method but the simplicity of being able to tell all Linux and Mac users to just paste a string into their terminal to install and letting the script deal with any differences between systems is probably why we keep seeing it for major projects, rather than a long list of instructions for different distros
curl <x> | bash