Comments (7)
Interrupted connections are prevented by wrapping the install script in curly braces.
MitM doesn’t apply because it’s using TLS; it’s an https URL.
GitHub doesn’t do any curl | bash detection nor will ever.
There’s no sudo involved here.
So far, still a perfectly fine practice for nvm. Do you have any additional evidence, since none of those links support your claim as it applies to nvm?
from nvm.
Can you cite a source for that? My understanding is that in fact it isn’t a bad practice.
from nvm.
@ljharb https://lukespademan.com/blog/the-dangers-of-curlbash/
https://stackoverflow.com/questions/29382739/why-using-curl-sudo-sh-is-not-advised
https://sysdig.com/blog/friends-dont-let-friends-curl-bash/
Potential MITM attack.
from nvm.
TLS Mitm methods:
https://github.com/tanc7/Practical-SSL-TLS-Attacks/blob/master/TLS-mitm-methods.md
from nvm.
@lorantfecske-red61 thanks - if https is compromised, can you suggest any install method that wouldn’t be vulnerable to it?
I hope you’re not suggesting i mail physical copies of nvm to people who wish to download it.
from nvm.
I agree with @lorantfecske-red61, this is not a good practice. I discourage this use mostly because you don't know what the script is doing, this script could do anything with the user's machine. I prefer making users download everything, and use the proper tool to build/install the project.
For example, if the project can be built with a npm or yarn command I would consider that, since the scope of these tools are much more restricted than a shell script and are much more trustworthy.
Also I'd encourage users to read the readme, makefiles and scripts before telling them to execute scripts.
Regarding the HTTPS discussion I'd provide a SHA256 of the archive so users can validate what they downloaded.
from nvm.
@blmayer that's true about basically all software you install from all sources.
The script is contained in git, and the install script prefers installing it as a git repo. If you're that paranoid, you can clone the repo first and verify all that for yourself.
curl | bash
is simply not a bad practice, despite security theater claiming it is. There may indeed be better practices but that doesn't make this one bad.
from nvm.
Related Issues (20)
- Trivy Security scan error HOT 1
- [spam]
- [spam] HOT 1
- [spam] HOT 4
- Trivy Security scan error - Need proof HOT 2
- Feature Request: User-provided hash HOT 1
- Nvm fails to install on bitbucket pipelines sometimes HOT 2
- MacOS error for every new session: zsh: command not found: node HOT 5
- nvm alias default not working as expected HOT 3
- [spam]
- [spam]
- [spam]
- [spam]
- Make a link to install latest version? HOT 3
- Why are the results of `nvm use --lts` and `nvm use lts` different HOT 1
- Unable to install node version greater than 20 HOT 1
- Corepack and Yarn isolation in an nvm-managed environment HOT 2
- Can't use globally installed npm packages HOT 9
- Failed To Clone HOT 3
- Please add authentication support for NodeJS Dist mirrors HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nvm.