Hot take: If we added a "--install" option to #curl, we could optimize many a "| sh -" pipeline away.
-
@larsmb But does it also leak to the server that you're using "--install" and not just try to download the file so that when you're trying to just download the malicious script the server can send you a version without the malware instead?
-
@larsmb
I was shortly thinking that that is a chicken/egg situation if you want to install cURL via the `--install` option... 
@larsmb @heiglandreas Let's just do a Microsoft, and ship every OS with something that isn't curl aliased as curl.
-
Hot take: If we added a "--install" option to #curl, we could optimize many a "| sh -" pipeline away.
Finally a truly universal installer.
@larsmb This is a plan without a flaw nor any possibility of error!
-
@pianosaurus @larsmb @agowa338
I think RFC 3514 "The Security Flag in the IPv4 Header" have place here.
-
@larsmb Also, curl should require sudo!
-
Hot take: If we added a "--install" option to #curl, we could optimize many a "| sh -" pipeline away.
Finally a truly universal installer.
@larsmb it should default to sudo to make things easy.
-
Hot take: If we added a "--install" option to #curl, we could optimize many a "| sh -" pipeline away.
Finally a truly universal installer.
@larsmb please make it check a malware filter before passing it to $shell
-
Hot take: If we added a "--install" option to #curl, we could optimize many a "| sh -" pipeline away.
Finally a truly universal installer.
Not sure how "| sh" is any less secure than what people do 99.9% of the time anyway, which is download an installer or executable and not bother or validate it.
If you really want to change the world, work out an actually secure mechanism (tall order!) and have --install implement it. Not sure what that would look like: https requirement, maybe a database of known/vetted installations, a means to report issues. Very tall order.
-
Not sure how "| sh" is any less secure than what people do 99.9% of the time anyway, which is download an installer or executable and not bother or validate it.
If you really want to change the world, work out an actually secure mechanism (tall order!) and have --install implement it. Not sure what that would look like: https requirement, maybe a database of known/vetted installations, a means to report issues. Very tall order.
@tbortels Well that's, like... a package manager? Let's call it cURL Universal Package System and abbreviate it CUPS... oh damn.
-
@tbortels Well that's, like... a package manager? Let's call it cURL Universal Package System and abbreviate it CUPS... oh damn.
Sadly I think I trust Badger and friends to get it right more than my package manager.
CUPS. Now that's a name I've not heard in a long time...
-
Hot take: If we added a "--install" option to #curl, we could optimize many a "| sh -" pipeline away.
Finally a truly universal installer.
@larsmb
"| sh" _IS_ the curl install option -
Hot take: If we added a "--install" option to #curl, we could optimize many a "| sh -" pipeline away.
Finally a truly universal installer.
@larsmb pair it with some yet-to-be-specified `integrity` parameter to check the file and we're there.
-
@larsmb Also, curl should require sudo!
-
Hot take: If we added a "--install" option to #curl, we could optimize many a "| sh -" pipeline away.
Finally a truly universal installer.
@larsmb maybe --execute will be a better option because its not always a Installation script.
-
@tbortels Well that's, like... a package manager? Let's call it cURL Universal Package System and abbreviate it CUPS... oh damn.
@christopherkunz @tbortels Package managers are so awesome we have hundreds.
-
@larsmb maybe --execute will be a better option because its not always a Installation script.
@nyansen Ohhh how about "--rootkit"
-
@nyansen Ohhh how about "--rootkit"
@larsmb for a curl anti cheat system?
-
S strit@mastodon.social shared this topic
