There is a vast community who thinks it's bad, and unsafe (with examples on how to detect direct piping to bash in order to serve malware) and a few ones condoning it. That seems like saying there is currently a debate on the roundness of the planet Earth.
Yes, it's exactly like that, but not in the way you think.
One side is a small-but-vocal minority making silly arguments. "how to detect direct piping to bash in order to serve malware"? An attacker who tries to serve different things to different people will easily be caught, and a simple diff will highlight their exploit. A much more robust attack strategy is to serve the same malware to everyone but obfuscate it. Make the vulnerability look like an innocent bug, and you have plausible deniability. This same attack works for every approach to software distribution, it's not unique to curl|bash.
The vast majority of pragmatic people just don't think there's an issue here, don't find these arguments convincing, and don't care to argue about it. I run the Sandstorm project, which uses curl|bash, and this issue really hasn't impacted adoption. Our users aren't naive, they understand what curl|bash is, but they also recognize that obviously by installing our software they are giving us arbitrary code execution. Users who don't trust us install Sandstorm in a separate VM -- the only reasonable way to run software you are suspicious of.
The problem is, doing this for a specific project you really trust is not a problem. But what you’re actually teaching inexperienced programmers, that this is true in the general case. Would you run a one liner like this if I sent it to you and it was hosted on GitHub?
The very intelligent people at Docker used to have this pattern at get.docker.io. They changed it.
And to obfuscate the attack, I think typo squatting in package managers like npm and pip, might be a blue print.
I really don't think anyone is being taught anything misleading here. curl|bash makes very clear that it's running arbitrary code as you, and I think almost everyone who invokes it does in fact understand that.
If anything, I think package managers create a false sense of security, especially ones that allow anyone to publish packages and declare dependencies on anything else. Installing an npm package -- even one from someone you trust -- could very easily transitively install something malicious. Debian packages are arguably better in that not just anyone can push packages to Debian's main package repo, but there's still a very real danger of a hidden backdoor. But I think a lot of people just assume installing from a package manager is not dangerous.
> The very intelligent people at Docker used to have this pattern at get.docker.io. They changed it.
Probably not for security reasons, though. There's a separate, very legitimate argument for distro packages, which is that they implicitly promise to play nicely with your distro's conventions and install themselves in a clean, manageable way. How to update or uninstall a distro package is well-defined. None of this is actually guaranteed, of course -- a package can do whatever it wants in an install hook. But assuming you trust the developer isn't malicious, then you can get some comfort knowing the package is unlikely to screw up your system.
curl|bash provides no such promise, even implicitly. Who the hell knows what it might decide to do. Maybe it has one of those `rm -rf $SOME_VAR_THAT_MIGHT_NOT_BE_DEFINED/*` bugs like Steam did at one point.
Sandstorm is careful to avoid messing up anything, installing itself to a self-contained directory, and providing an uninstall script. But the user doesn't really know that in advance.
The reason to use curl|bash in spite of this is because distro packaging is a lot of work (there are a lot of distros!) and may not be the best use of time for a small project. Docker is definitely big enough to do it, though.
So yeah, there's definitely a cleanliness argument. But the security argument is bogus.
It's still downloading and executing a script, just two steps instead of piping the output straight into bash.
You can't even inspect the code you run when you do curl|bash and the server is able to detect this distinction and hide code when you do a curl and then run bash.
You got me. The last time I installed Docker, I remember doing it using packages, so I assumed that was the replacement. Looking at their comment, it looks like they got tired of people arguing about it, so they changed the instructions to sidestep the argument. I don't think they seriously believe this made a security difference.
> You can't even inspect the code you run when you do curl|bash and the server is able to detect this distinction and hide code when you do a curl and then run bash.
I addressed exactly this argument two comments ago.
> Your argument is: "we do it and we use GitHub, you can trust us and can trust GitHub, you don't need to verify the code you run."
When did I ever say anything about GitHub? This isn't my argument at all.
> And devs learn: "Trust me, you don't need to verify the code you run."
Come on, nobody actually verifies all the code they run.
Ultimately, the only insecure thing about curl-to-bash is if you don't trust the server — the server in this case being Github. I think few people or companies include Github-being-malicious in their threat model; if Github was malicious, any build artifacts produced by even cloning from Github would be potentially suspect, since Github could fairly easily detect automated build agents and serve them different content (especially if the build agents were integrated with Github Actions, which is fairly common these days — or even if they were just using Github webhooks). If you do continuous delivery, or even if you just do continuous integration and then don't have a human decompile and audit every line of the build artifacts after they're created, you de facto trust your repo host; for most people that means Github.
I'm not going to go into the curl|sh debate, but there is actually something wrong about what you described. Trusting the server doesn't apply to Github at all.
Github is technically like a bazaar or mall. It's wrong to assume that if you trust a store on the bazaar you then trust ALL stores on the bazaar. You personally may, but then I strongly question your sense of security. Sure, you trust that Github doesn't add malicious stuff when cloning, but each repo on Github is kinda it's own "server" to fit into your analogy.
The link being used in the curl-to-bash example from the original discussion is a direct link to content in the repo itself — so if you trust that repo server for its content, it doesn't matter whether you curl-to-bash or not. If that Github server is malicious you're in trouble.
FWIW though, if Github servers have a vuln that allows attackers to modify repo content being served on a per-request basis, it's pretty likely that many repos (or even all repos) would be vulnerable, not just one. From a security standpoint I'd consider Github repo servers to be a tier of servers that you do or don't trust; saying that you trust one "server" within the tier but don't trust another doesn't make a lot of sense, especially since you don't actually know the topology behind their DNS and the "servers" are virtualized, colocated, and parts of them are ephemeral. What exactly are you trusting? Other than "I sent a request to Github and it gave me a response" there's not much you can say for certain — the request could've been routed to any number of repo servers, that may be hosting dozens of other repos on them as well. The server that responds today is likely a different virtualized server than the one that responds tomorrow, just attached to the same filesystem. But even if that weren't true, curl-to-bash in this example seems ultimately fine for most people.
If I were doing devops work that required Kubescape for an org, I would definitely package it into a deb (or whatever package format the org used internally) and install it that way rather than curl-to-bash. But that's not because of security gains from a deb vs a script, that's because I'd want to lock it to a stable version rather than always installing latest, and I wouldn't want to tie availability of Kubescape to Github repo servers being up (they do go down sometimes). But for getting started playing around with it, curl-to-bash is low friction, can easily support multiple OSes as compared to debs, and seems generally fine as it is used here.
OP. Of course if there's trusted parties along the way it's safe enough. But it is not durable to that trust being broken. e.g. if the user has learned to do this, and ends up through typo squatting on a malevolent fork of their code.
If it's okay on GH, we train the user to think it's okay on less secure sites.
Considering this practice is in widespread use, I think you might be overestimating the vastness of this "community" (community of what? anti pipe-to-shell community?) "More people are saying A rather than B" is not an especially convincing argument in the first place.
Right. Actually, since it's hard to tell if the earth is round y observation, I'd say it's more like a debate on whether the Sun goes around the Earth. You can just look up in the sky and see it move - the folks saying otherwise are obviously cranks. There's no need to listen to their arguments.
