In faint defense of curl/sh installations

They ran the bash script instead of my compiled executable?!

I used to think the same thing: don’t install software using a curl command piped into bash.

But then I realized that you might as well never install anything ever again. There’s far more than just a simple bash script being run with other installation paths.

It’s not about the method of installation, it’s about how much you trust the source of it.

Whether you install something via the curl/sh method, or install via a .deb package, run someone’s .AppImage, etc… there’s nothing really making any of them better or worse in terms of security. They’re all capable of running code at some point, with the permissions you have.

At the end of the day, you have to ask yourself: do you trust the person providing you with the installer?

How you go about installing that software is a separate topic fraught with politics and opinions. And some installers have ways to verify authenticity — assuming the compromise isn’t deep in the author’s workflow.

That being missing from curl/sh is not a unique disadvantage. Especially considering how few are probably actually authenticating their installers, regardless of method.

It’s not ideal, but it’s not the singular boogeyman that some of us are making out to be.

Happy to entertain a more informed opinion on this. Maybe an angle I missed.


Actually, not really. But as I was writing that I did think of one potential reason to consider it a red flag: it’s trivial for a bad actor to just write a quick script and have you run it. Other methods of attack require building the actual installer. There’s a minor effort trade-off there. A speed bump that might deter the less experienced actors.

So at worst a curl/sh installer might just be considered a red flag, but only if a stranger passed it to you via a DM, or on IRC/Discord, etc. Like how you can have an .xyz domain and it’s totally fine, but it tends to be associated with shadier sites because it has a bad history. Just a red flag. Go to yellow alert. For the red flag. (Hot dog theme?)

Anyway, if you’re clicking links from strangers, you’re in the Danger Zone anyway.