Good thing we haven't normalized installing things with curl | sh

still_grokking · 2026-04-30T00:56:41 1777510601

Yeah, that's great!

Imagine we would download random code from the internet and just execute it, like with NPM, PIP, Maven, Cargo etc.

om8 · 2026-04-30T01:36:20 1777512980

cargo/uv/go have lock files though

dnnddidiej · 2026-04-30T04:04:10 1777521850

with curl | sh you could use a checksum you download with curl!

dawnerd · 2026-04-30T02:14:47 1777515287

Or npm being allowed to run arbitrary post install scripts

Semaphor · 2026-04-30T03:34:13 1777520053

I don’t think that matters as it’s usually curl | sudo sh

FlyThruTheSun · 2026-04-30T00:41:22 1777509682

I literally ship an installer that runs with curl | bash... reading this thread while patching my servers is a fun experience lol