I only discovered this recently, and it’s very handy.
Piping scripts directly to bash is a security risk. You can always download the scripts, inspect them and run locally if you so choose.
I only discovered this recently, and it’s very handy.
Piping scripts directly to bash is a security risk. You can always download the scripts, inspect them and run locally if you so choose.
This entire trend needs to die. Package managers exist. Use them. Shun and shame sites that promote shell script installers.
Fun fact, a malicious server can detect the difference between you loading the script for inspection in your browser, and you doing
curl | sh, and could serve an entirely different script.https://lukespademan.com/blog/the-dangers-of-curlbash/
Yeah - it’s remarkable that I receive pushback about it. I guess it’s down to the technical immaturity of your average home-gamer vs. people who support Linux systems for a living?
Of course, Linux sysadmin needs linux to remain a ceaseless whirlpool of busywork, that’s what they’re paid for. Imagine having a tool that cuts the bullshit out of using linux, it would put them right out of business if the users could just do the things they want to do without having to beg the middleman.
🤣
OMG this is so dumb.
Edit: I’m thinking this was satire?
Why else would so many of them step on the brake with both foots, shut down any way to streamline them out of the picture, while proposing impossible alternatives or even no alternatives. And of course it’s always about "for your security and safety "
This wasn’t satire?
🤣 🤣
I’ve never said a joke in my life
Apples and oranges.
Package managers only install a package with defaults. These helper scripts are designed to take the user through a final config that isn’t provided by the package defaults.
No need to be elitist about such things.
EDIT: this particular repo is highly regarded in the community. It is very akin to the AUR. It’s not some haphazard collection of scripts.
No, package installers support configuration. Plenty of packages (e.g. postfix) prompt for configuration at install time.
Heellll no, the scripts are publically available to read over if you’re sketched out. They save you so much time to actually get to using the service. 98% of my homelab is from these same helper scripts too.
RIP tteck
I don’t like that an adversary could modify that link or its contents without much detection or any logging.
When you compare it to package managers that have immutable versioning that’s a big downfall. If someone were modifying pypi or npm packages I would be surprised if it went undetected.
Realistically is that an issue, probably not. But I do try and reduce my exposure when I can.
Have you ever looked at what was once ttek scripts? They’re a spaghetti of calls to other scripts. It’s not pretty. And not intuitive to audit.
They work so what is your objection ?
If you are worried pipe it into chatgpt with the prompt
“tell me why this script is safe to use”
I thought I was being clear that I have audited some of the scripts. They are built referencing other scripts instead of functions, and these rely on URLs. It’s difficult to follow.
Don’t ask chatgpt to audit code.
There is no functional difference to piping a script vs running an AUR or other user repository install.
I asked repository maintainers and they said “LXC is not for apps” and of course docker is a good way to waste your weekends. So we don’t have repositories, we have scripts.
If you disagree, go tell them
https://discuss.linuxcontainers.org/t/where-can-i-find-the-biggest-lxc-container-repository/14946
Until then, people who have sacrificed enough of their weekend to the linux gods will be pipe internet text into their root consoles
“I’ll do what’s easy even if it’s not good” is a terrible approach to, well, anything. I would expect people in this community to look for guidance on what the best way to do things is. Seems I’m wrong.