cyrus-and/trace

Tells users to pipe to shell

Closed this issue · 2 comments

This looks like a really cool project and I look forward to trying it. :)

However, it's a terrible anti-pattern to tell people to pipe from curl or wget to a shell. Please do not do this.

Even though it's generally (seen as) a bad practice, it's so useful for:

  • people who already inspected install.sh and found no malicious code;
  • me.

Anyway I provide a couple of alternatives.

But out of curiosity... how does the pipe approach is different from:

wget -qO- https://raw.githubusercontent.com/cyrus-and/trace/master/install.sh
sh install.sh

or even a "Click here to download the installer then run sh install.sh", or even running any other piece of code on your computer?

The only real concern may be the partial execution of the shell file due to an abrupt wget termination, but honestly it seems to me such an unlikely event that a proper solution would be overkill, especially for a small utility like this.

Another attack vector is for a malicious server to return different content based on the user-agent, so people who examine the script in their browser could see a harmless script, but then receive a malicious one when they curl or wget it.

Frankly, I think the early-termination issue is nothing to sneeze at, and is enough reason by itself to never recommend this practice.

Then there are other issues, such as updating the software. If you clone a repo with git, the subsequent pulls are more difficult to tamper with, and auditable. Plus, if you use signed git tags, it provides even more security for updates.

The bottom line is that it's just a very, very bad idea, and one that should be avoided at all costs, even on principle alone.

But, hey, it's your repo... :/