A compromised site or browser could easily show the user steps to install malware and with only a minimal amount of obfuscation they would be indistinguishable from legit instructions to a user who doesn’t understand what the commands are supposed to do.
You don't even need that, I've seen a lot of projects tell you to curl a literal .sh you run in sudo.
I only do this if it's a really well known project and just kinda hope they weren't hacked on the exact day I'm installing it. You're right that it is a pretty big security issue, it's only a matter of time before somebody does that on a production machine somewhere, maybe it even happened who knows.
curl | sudo sh has got to be the funniest construct I've ever seen. who needs remote code execution when people will just download a script and inject it directly into their veins?
fwiw, I appreciate that nixos forces me to write a package for the stuff I want to use and doesn't already have one, and that I can't write a package that downloads a script and runs it because 99% of the, script will try to break out of the sandbox.
You don't even need that, I've seen a lot of projects tell you to curl a literal .sh you run in sudo.
I only do this if it's a really well known project and just kinda hope they weren't hacked on the exact day I'm installing it. You're right that it is a pretty big security issue, it's only a matter of time before somebody does that on a production machine somewhere, maybe it even happened who knows.
curl | sudo sh
has got to be the funniest construct I've ever seen. who needs remote code execution when people will just download a script and inject it directly into their veins?fwiw, I appreciate that nixos forces me to write a package for the stuff I want to use and doesn't already have one, and that I can't write a package that downloads a script and runs it because 99% of the, script will try to break out of the sandbox.