don't suggest curl | bash

[rspier]

http://learn.perl.org/installing/osx.html contains

curl -L http://xrl.us/installperlosx | bash

which is a horrible security anti-pattern.

Yes, it's extremely simple, but we shouldn't be encouraging people to do this without enough warnings to dissuade them. What happens if someone changes where that short link redirects to? What if someone changes the result to do sudo rm -rf /.

[ranguard]

Well Ask owns xrl.us and I own the GH installperlosx account... It has also been like this for years Happy to add copy saying people should check the source first or something - but it's going to take them a while to do so... Also this doesn't need (indeed should not be) root user doing it... that kind'a being the point... which might be another thing to clarify I guess

…

On 15 Jul 2017, at 23:17, Robert ***@***.***> wrote: http://learn.perl.org/installing/osx.html contains curl -L http://xrl.us/installperlosx | bash which is a horrible security anti-pattern. Yes, it's extremely simple, but we shouldn't be encouraging people to do this without enough warnings to dissuade them. What happens if someone changes where that short link redirects to? What if someone changes the result to do sudo rm -rf /. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[rspier]

It's less about whether this specific case is good or bad and more about this particular pattern being bad. Ok, it's safe this time. But it might not be next time. What if your github account gets hacked? What if gugod's github ccount gets hacked. Or if they start getting used to this anti-pattern and run it for some other tool?

(Yes, this is nearly exactly as dangerous as downloading any other pre-compiled binary, but for some reason it feels riskier.)

What's wrong with the perl that comes with OSX?

[VynceMontgomery]

Also: since it's http I don't need to own the endpoints to inject bad stuff in the curl response. If it were https, that would be better, but xrl.us doesn't support https (or at least the cert was failing for me today).

[rspier]

FWIW, I just fixed the cert.

[Grinnz]

What's wrong with the perl that comes with OSX?

A few things now, apparently: https://rt.cpan.org/Public/Bug/Display.html?id=127028

[rspier]

Either way, curl | bash isn't a terribly safe thing to do.