Current nvm install methods for linux and mac are falling far from security best practice about nvm HOT 7 CLOSED

Interrupted connections are prevented by wrapping the install script in curly braces.

MitM doesn’t apply because it’s using TLS; it’s an https URL.

GitHub doesn’t do any curl | bash detection nor will ever.

There’s no sudo involved here.

So far, still a perfectly fine practice for nvm. Do you have any additional evidence, since none of those links support your claim as it applies to nvm?

from nvm.

Can you cite a source for that? My understanding is that in fact it isn’t a bad practice.

from nvm.

@ljharb https://lukespademan.com/blog/the-dangers-of-curlbash/
https://stackoverflow.com/questions/29382739/why-using-curl-sudo-sh-is-not-advised
https://sysdig.com/blog/friends-dont-let-friends-curl-bash/

Potential MITM attack.

from nvm.

TLS Mitm methods:
https://github.com/tanc7/Practical-SSL-TLS-Attacks/blob/master/TLS-mitm-methods.md

from nvm.

@lorantfecske-red61 thanks - if https is compromised, can you suggest any install method that wouldn’t be vulnerable to it?

I hope you’re not suggesting i mail physical copies of nvm to people who wish to download it.

from nvm.

I agree with @lorantfecske-red61, this is not a good practice. I discourage this use mostly because you don't know what the script is doing, this script could do anything with the user's machine. I prefer making users download everything, and use the proper tool to build/install the project.

For example, if the project can be built with a npm or yarn command I would consider that, since the scope of these tools are much more restricted than a shell script and are much more trustworthy.

Also I'd encourage users to read the readme, makefiles and scripts before telling them to execute scripts.

Regarding the HTTPS discussion I'd provide a SHA256 of the archive so users can validate what they downloaded.

from nvm.

@blmayer that's true about basically all software you install from all sources.

The script is contained in git, and the install script prefers installing it as a git repo. If you're that paranoid, you can clone the repo first and verify all that for yourself.

curl | bash is simply not a bad practice, despite security theater claiming it is. There may indeed be better practices but that doesn't make this one bad.

from nvm.