Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

`curl ... | sh` installations don't really bother me. The scripts tend to be short and commented, or at least readable. Sure beats running an opaque .pkg installer, which invariably asks for your password (presumably for no reason) and installs god-knows-what all over your hard drive.


Generally, yes, but some package managers have code-signing support, which means if you trust the authors, you can avoid potential hijacks.

At the end of the day, though, you're always going to trust someone with something.


Yes, but if you're doing curl ... | sh then you're not vetting the script you're running before you run it. If you were, you'd be running curl and sh as separate commands.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: