Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Everyone is pointing at Windows but there are still installer software on MacOS. Normally crusty old corpoware like Citrix that needs to extend its tentacles to the whole system.

On Unix/Linux land the prevalence of pipe curl to bash type installers is not much different.

I normally keep both types away from my computers.



> On Unix/Linux land the prevalence of pipe curl to bash type installers is not much different.

This is a problem but only if you install software on Linux by manually going to the project page and copy-pasting whatever curl they have there, I think the difference is that mostly you're encouraged to go the package manager route, whereas on windows downloading .exes directly (ala the curl example) is the norm.


It seems to be increasingly the case that package managers just don't have some software - or have a version that's years out of date. Perhaps the number of different ones available has become self-defeating.

Directly sudoing a curl-ed script is like running a binary on Windows with admin permissions and with Defender turned off, which makes it somewhat more scary to me.

On Windows I use Chocolatey when I can, and if I can't (or it looks dodgy anyway) I'll either just not install it or try it in a sandbox. Things that aren't choco-able are generally commercial software obtained from the vendor's download page, we theoretically trust those things somewhat. YMMV.


> Directly sudoing a curl-ed script is like running a binary on Windows with admin permissions and with Defender turned off,

Most people would just say yes to any prompt they get, those wise enough not to aren't running random curl scripts either.

As for Defender being any kind of protection, I have my doubts.

> it seems to be increasingly the case that package managers just don't have some software - or have a version that's years out of date.

This is entirely distro dependant, some are very up to date and have most things you'd want, especially if you include the likes of AUR in that. But then there's usually a Flatpak or an AppImage that you can use in the odd case that they don't.


Actually no, the problem with curl | bash is that it can be detected on the server, so if the server is compromised, it can serve you malware and you will never know about it. It is safe(r) to curl > file, inspect the file, then execute it under bash.


The result of inspecting such a file is usually a series of disgusted shudders, "this will do WHAT do my machine"?


Sometimes a smile at the clarity and simplicity of the authors shell code, sometimes.


A rare delight but it does happen


Only installers I’ve seen are the .installer bundles, which leave behind a manifest for automated uninstalling.


On Unix/Linux land the prevalence of pipe curl to bash type installers is not much different.

True, but saying so will likely to earn you downvotes from those committed to this unhygenic practice ...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: