this post was submitted on 19 Feb 2025
287 points (91.8% liked)

Mildly Infuriating

36899 readers
1226 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.

Rules:

1. Be Respectful

Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...

2. No Illegal Content

Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...

3. No Spam

Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...

4. No Porn/ExplicitContent

-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...

5. No Enciting Harassment,Brigading, Doxxing or Witch Hunts

-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...

6. NSFW should be behind NSFW tags.

-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...

7. Content should match the theme of this community.

-Content should be Mildly infuriating.

-The Community !actuallyinfuriating has been born so that's where you should post the big stuff.

...

8. Reposting of Reddit content is permitted, try to credit the OC.

-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

...

Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense

Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 2 years ago
MODERATORS
LillianVS@lemmy.world
STRIKINGdebate2@lemmy.world
Tenthrow@lemmy.world
287
When software devs expect you to pipe a script straight from the internet into Bash... (dubvee.org)
submitted 1 week ago* (last edited 1 week ago) by ptz@dubvee.org to c/mildlyinfuriating@lemmy.world
83 comments fedilink hide all child comments
 

Developers: I will never ever do that, no one should ever do that, and you should be ashamed for guiding people to. I get that you want to make things easy for end users, but at least exercise some bare minimum common sense.

The worst part is that bun is just a single binary, so the install script is bloody pointless.

Bonus mildly infuriating is the mere existence of the .sh TLD.

Edit b/c I'm not going to answer the same goddamned questions 100 times from people who blindly copy/paste the question from StackOverflow into their code/terminal:

WhY iS ThaT woRSe thAn jUst DoWnlOADing a BinAary???

  1. Downloading the compiled binary from the release page (if you don't want to build yourself) has been a way to acquire software since shortly after the dawn of time. You already know what you're getting yourself into
  2. There are SHA256 checksums of each binary file available in each release on Github. You can confirm the binary was not tampered with by comparing a locally computed checksum to the value in the release's checksums file.
  3. Binaries can also be signed (not that signing keys have never leaked, but it's still one step in the chain of trust)
  4. The install script they're telling you to pipe is not hosted on Github. A misconfigured / compromised server can allow a bad actor to tamper with the install script that gets piped directly into your shell. The domain could also lapse and be re-registered by a bad actor to point to a malicious script. Really, there's lots of things that can go wrong with that.

The point is that it is bad practice to just pipe a script to be directly executed in your shell. Developers should not normalize that bad practice.

top 50 comments
sorted by: hot top controversial new old
[–] _cryptagion@lemmy.dbzer0.com 22 points 6 days ago (1 children)

I'm gonna go out on a limb and say you find this more than mildly infuriating.

[–] DuckWrangler9000@lemmy.world 5 points 6 days ago

I think you and a lot of others are late to the idea that mildly is kinda like a joke. Many things are majorly infuriating. On the reddit, many of their top posts aren't even major. They're catastrophic, just absurd. I've yet to find anything mild

[–] aesthelete@lemmy.world 16 points 6 days ago

That's becoming alarmingly common, and I'd like to see it go away entirely.

Random question: do you happen to be downloading all of your Kindle books? 😜

[–] tgt@programming.dev 14 points 6 days ago (1 children)

What's that? A connection problem? Ah, it's already running the part that it did get... Oops right on the boundary of rm -rf /thing/that/got/cut/off. I'm angry now. I expected the script maintainer to keep in mind that their script could be cut off at litterally any point... (Now what is that set -e the maintainer keeps yapping about?)

Can you really expect maintainers to keep network error in mind when writing a Bash script?? I'll just download your script first like I would your binary. Opening yourself up to more issues like this is just plain dumb.

[–] zarkanian@sh.itjust.works 1 points 5 days ago (1 children)

Doesn't it download the entire script before piping it?

[–] Ziglin@lemmy.world 3 points 5 days ago

It runs the curl command which tries to fetch the entire script. Then no matter what it got (the intended script, half the script, something else because somebody tampered with it) it just runs it without any extra checks.

[–] gandalf_der_12te@discuss.tchncs.de 10 points 6 days ago

tbf, every time you're installing basically anything at all, you basically trust whoever hosts the stuff that they don't temper with it. you're already putting a lot of faith out there, and i'm sure a lot of the software actually contains crypto-mineware or something else.

[–] clutchtwopointzero@lemmy.world 7 points 5 days ago (1 children)

I saw many cases of this with windows PowerShell and those Window debloating scripts

[–] AnyOldName3@lemmy.world 2 points 5 days ago (2 children)

PowerShell has a system to sign scripts, and with its default configuration, will refuse to execute scripts, and with the more sensible configuration you should switch to if you actually use PowerShell, refuses to execute unsigned scripts from the Internet.

I suspect that most of the scripts you're referring to just set -ExecutionPolicy Bypass to disable signature checking and run any script, though.

[–] Gurfaild@feddit.org 3 points 5 days ago 
Invoke-WebRequest | Invoke-Expression

bypasses signature checking because there is no file to be signed

[–] clutchtwopointzero@lemmy.world 1 points 5 days ago

You are correct

[–] olafurp@lemmy.world 6 points 5 days ago

They should really put the npm installation first

[–] cupcakezealot@lemmy.blahaj.zone 11 points 6 days ago

I'll do it if it's hosted on Github and I can look at the code first but if it's proprietary? Heck no

[–] lastweakness@lemmy.world 2 points 6 days ago (3 children)

What's a good package manager right now for stuff like this if i don't want to use the distro package manager though? I want up to date versions of these tools, ideally shipped by the devs themselves, with easy removal and updates. Is there any right now? I think Homebrew is like that? But I wish it didn't need creating an entire new user and worked on a user account basis.

In an ideal world, i would want to use these tools in such a way that I can uninstall them, including any tool data (cache, config, etc), and update them in a reliable manner. Most of these tools are also hellbent on creating a new "." folder or file in the home folder ignoring the XDG spec.

[–] expr@programming.dev 3 points 6 days ago (2 children)

Nix. I use it for everything, including all of my tools I use on my work MacBook.

There are many ways to use nix for this stuff, but personally I use home-manager in a flake-based setup. Versions of tools are all pinned in a lockfile which is committed to source control, so it's easy to get my config and all my tools on a new machine without any breakage (it does require installing first, though).

It's a great tool and has largely solved the pain of dealing with having to work on MacOS, for me.

[–] PartiallyApplied@lemmy.world 1 points 5 days ago (1 children)

Do you know of any Nix projects which are basically nix-but-as-if-was-brew?

I get that this violates the Nix philosophy, but it’s hard convincing collabs to install a root package manager, which has install commands like:

nix profile install nixpkgs/nixos-24.11#hello

I get that it’s flexible, but I would like something more like:

nix install hello

I want three things:

  1. rootless
  2. can manage “casks”
  3. global cli with support for per-project flakes

Do you know if this exists / is being developed?

[–] expr@programming.dev 2 points 5 days ago
  1. Supposedly there's a way to install nix without root access, but I can't speak to it as I've never tried. Ofc it doesn't require sudo to install packages or anything, though.
  2. I don't think it does this right now, largely because it's super fucking complicated (as is basically everything Apple) and homebrew casks themselves have had a ton of headaches around it. But nevertheless, I think home-manager has some workarounds it uses itself to enable many common GUI apps on MacOS.
  3. Not sure exactly what you mean, but I think it does that?

If you want to install packages purely by name, you can use nix-env -i hello or whatever. But it's pretty janky and not really a recommended way of doing things.

[–] lastweakness@lemmy.world 1 points 6 days ago

Nix is a great suggestion and I think i will be using it moving forward as well. Thanks. Ideally I want to use NixOS, do you know if secure boot is still a pain point with NixOS?

[–] fraksken@infosec.pub 3 points 6 days ago (1 children)

It says in the comment of the script:

npm install

[–] lastweakness@lemmy.world 3 points 6 days ago

npm is JS-specific

[–] corsicanguppy@lemmy.ca -4 points 6 days ago (1 children)

if i don't want to use the distro package manager

I'm stunned you don't understand why this is a problem.

This was absolutely trivial stuff before the great Y2K layoffs, so if you can't figure it out, ask someone who was releasing software professionally back then.

And please, if you learn something from this, try to help others.

[–] lastweakness@lemmy.world 2 points 6 days ago

I don't want to use a distro package manager for certain software because nearly every distro except Arch requires adding third party repositories which can stop getting updates at any second.

Don't worry, I understand the intricacies of these problems a lot more deeply than you probably realise. As a developer, it can suck when your "hotfix" cools down by the time a distro gets around to packaging it. And as a packager, you're human in the end. As a user though, you just want stuff to work.

As a longtime Linux user, this isn't really a problem for me, none of this is. But what about a new user? We need to address these issues at some point if we want Linux to be truly user-friendly.

[–] badbytes@lemmy.world -1 points 6 days ago

I wouldn't call anyone who does this, a developer. No offense, but its a horrible practice, that usually come from hacky projects.

[–] Godort@lemm.ee 107 points 1 week ago (2 children)

It's bad practice to do it, but it makes it especially easy for end users who already trust both the source and the script.

On the flip side, you can also just download the script from the site without piping it directly to bash if you want to review what it's going to do before you run it.

[–] thebestaquaman@lemmy.world 19 points 6 days ago (1 children)

Would have been much better if they just pasted the (probably quite short) script into the readme so that I can just paste it into my terminal. I have no issue running commands I can have a quick look at.

I would never blindly pipe a script to be executed on my machine though. That's just next level "asking to get pwned".

[–] WolfLink@sh.itjust.works 12 points 6 days ago (1 children)

These scripts are usually longer than that and do some checking of which distro you are running before doing something distro-specific.

[–] zalgotext@sh.itjust.works 4 points 6 days ago

Doing something distro-specific in an install script for a single binary seems a bit overcomplicated to me, and definitely not something I want to blindly pipe into my shell.

The bun install script in this post determines what platform you're on, defines a bunch of logging convenience functions, downloads the latest bun release zip file from GitHub, extracts and manually places the binary in the right spot, then determines what shell you're using and installs autocompletion scripts.

Like, c'mon. That's a shitload of unnecessary stuff to ask the user to blindly pipe into their shell, all of which could be avoided by putting a couple sentences into a readme. Bare minimum, that script should just be checked into their git repo and documented in their Readme/user docs, but they shouldn't encourage anyone to pipe it into their shell.

[–] Deello@lemm.ee 27 points 1 week ago

It's bad practice to do it, but it makes it especially easy for end users who already trust both the source and the script.

You're not wrong but this is what lead to the xz "hack" not to long ago. When it comes to data, trust is a fickle mistress.

[–] Korne127@lemmy.world 56 points 1 week ago (9 children)

Installing Rust: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs/ | sh (source)
Installing Homebrew: /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" (source)

I understand that you find it infuriating, but it's not something completely uncommon, even in high end projects :/

[–] barsoap@lemm.ee 7 points 6 days ago* (last edited 6 days ago) (1 children)

--proto ‘=https’ --tlsv1.2

That's how you know they care, no MIMing that stuff without hijacking the CA at which point you have a whole another set of problems, and if you trust rustc to not delete your sources when they fail a typecheck, then you can trust their installer. -f is important to not execute half-downloaded scripts on failure, -s and -S are verbosity options, -L follow redirects.

[–] tgt@programming.dev 2 points 4 days ago (1 children)

So I was wondering what the flags do too, to check if this is any safer. My curl manual does not say that -f will not output half downloaded files, only that it will fail on HTTP response codes of 400 it greater... Did you test that it does not emit the part that it got on network error? At least with the $() that timing attack won't work, because you only start executing when curl completes...

[–] barsoap@lemm.ee 3 points 4 days ago* (last edited 4 days ago) (1 children)

With the caveat that I'm currently blanking on the semantics of sub-shells yes I think you're right, -f is about not executing <hmtl><h1>404 Not Found</h1></html>. Does curl output half-transferred documents to stdout in the first place, though, and also bash -c is going to hit the command line length limit at some point.

And no I haven't tried anything of this. I use a distribution, I have a package installer.

[–] tgt@programming.dev 2 points 4 days ago (1 children)

See the proof of concept for the pipe detection mentioned elsewhere in the thread https://github.com/Stijn-K/curlbash_detect . For that to work, curl has to send to stdout without having all data yet. Most reasonable scripts won't be large enough, and will probably be buffered in full, though, I guess.

Thanks for the laugh on the package installer, haha.

[–] barsoap@lemm.ee 1 points 4 days ago* (last edited 4 days ago)

Just skimmed through rustup-init.sh and executing half-downloaded things is not an issue, it's all function declarations, one set -u and one variable declaration (without side effects) before the last line of the script kicks off everything with main "$@" || exit 1. It's also a dash/bash/ksh/zsh/whatever-polyglot, someone put a lot of thought in this. Also it's actually just figuring out the architecture and OS to know what binary installer to download. So don't worry, it won't accidentally rm -rf /usr.

[–] ChaoticNeutralCzech@feddit.org 6 points 6 days ago* (last edited 6 days ago) (1 children)

There is even a Windows (Powershell) example for Winutil:

Stable Branch (Recommended)

irm "https://christitus.com/win" | iex

Better than explaining how to make a .ps file trusted for execution (thankfully, one of the few executable file extensions that Windows doesn't trust by default) but why not just use some basic .exe builder at this point?

Obligatory "they better make it a script that automatically creates a medium for silent Linux Mint installation, modifies the relevant BIOS settings and restarts" to prevent obvious snarky replies

[–] superkret@feddit.org 3 points 6 days ago (1 children)

Using a url that's just some dude's name makes this so much worse.

[–] ChaoticNeutralCzech@feddit.org 2 points 6 days ago

He's reasonably trustworthy. I trust his utility more than Micro$oft but less than Linus Torvalds.

[–] PlexSheep@infosec.pub 4 points 6 days ago

For rust at least, those are packaged in Debian and other distros too. I think rustup is in Debian Trixie too.

[–] felbane@lemmy.world 28 points 1 week ago

Common or not, it's still fucking awful and the people who promote this nonsense should be ashamed of themselves.

load more comments (5 replies)
[–] needanke@feddit.org 27 points 1 week ago* (last edited 1 week ago) (11 children)

Would you prefere

$ curl xyz
$ chmod +x xyz
$ ./xyz

?

[–] ozymandias117@lemmy.world 37 points 1 week ago (1 children)

You can detect server-side whether curl is piping the script to Bash and running it vs just downloading it, and inject malicious code only in the case no one is viewing it

https://github.com/Stijn-K/curlbash_detect

So that would at least be a minor improvement

load more comments (1 replies)
load more comments (10 replies)
load more comments
view more: next ›