Gregory's Server@kytta piping curl into sh... especially a non-https one. Why are people still doing this.
|
2 comments
@kytta I know,- it just shows newcomers that this is something everybody does and it is supposed to be secure. But its not. It's dangerous and people should stop advertising it. Imagine some website is hacked and people install packages this way only. Nobody would recognize that their system is compromised. We have a reason for package managers. |
@Anachron it's basically HTTPS: if you try to request the HTTP version, it'll auto-redirect. Also, one doesn't have to pipe the script if one doesn't trust it, there are many other ways to use this software