I kind of view bash piping as the worlds easiest install package.

Unequivocally, it is dangerous to run random pieces of code from the internet, it just seems odd to me that if this same code was in a nice packaged install wizard nobody would say anything about it.

Maybe it should include a first step of piping it to less for review, followed by piping to bash if it looks fine. Slightly better...

At which point the people who know how to read it will do so (I did, out of curiosity) because it's so easy, and the people who don't will get

  jargonjargon [*&*@![]2\3
  if [[jargon -f "words!"]]
    jargon # jargon jargon
    jargon /&$_)(82
  fi # jargon the jargon
  jar(){
    gon                           # yay pictures!        #
    ∑´∞§∞¶•ø¨ˆ∆£˜¡–ª¢ø•ª¶π™˜£º¥µ # <(^.^)>              #
    ˚∆∂¥•¡º™ª•¶ƒ˙¨ˆ               #                      #
    ˙π¡˜ø£•¶√≠˚•™µº–£¨≤           # <= ˚∆˚! but it works #
  }

and just go to the next step.

Did you just come up with that? Hilarious

This comes up every time an install script like that is used, and in a lot of cases, it's a warrantless criticism.

Projects like this are obviously targeted towards developers as they're hosted on github. If you really want to check out what the script is doing, just look at the file. Or better yet, clone the repo and use it/install however you want.

> Bad trend in the open-source community. Please don't ask your users to install stuff this way. Not that you can't be trusted, it leads to people dropping their guard.

And what will be the right way to do it? The way people don't drop their guard? `./configure && make && sudo make install`? Or `sudo apt-get install`? How are any of these or many other options seemingly better than this?

You probably mean 'add-apt-repository foorepo && apt-get update && apt-get install foopkg' or 'dpkg -i foopkg' (as root) because as is, 'apt-get install' is innocuous given one uses the default trusted, signed and whatnot repos.

Is it particularly worse than downloading and blindly running the code in separate steps? I don't think the majority of users have ever extensively audited the software they run, so it's not exactly a new trend. If you are capable of evaluating this script, you already know how to do it.

I would bet a fair amount would open the script up in an editor and say, "Yep. That's code alright".

Why is it worse than running an installer? It has identical capabilities, but the .sh file can be read.

If you install a package via the package managers on debian, ubuntu, fedora, and other major distros you can be reasonably sure that the packages aren't malicious because they've been security reviewed before they made it into APT/YUM/etc. Downloading some shell script off the internet and running it without even reading it first is a really bad idea by comparison.

So, you mean like everything on OSX and Windows, where you don't have such package management systems with (long-standing, trustable) benevolent hosts? Yeah, downloading some application off the internet and running them is a really bad idea - how is this worse?

edit: how about iOS? There have been news entries about them sending data where they shouldn't - that's a curated host. iOS is a lot more sandboxed, but that doesn't make the danger nonexistent.

> If you install a package via the package managers on debian, ubuntu, fedora, and other major distros you can be reasonably sure that the packages aren't malicious because they've been security reviewed before they made it into APT/YUM/etc

When people are delivering software that isn't in the official repository, downloading a script and running it is no less secure than the alternatives.

I'd support this more if they weren't using https - since the user's going to run it anyway, there's no real advantage over any other means of getting this file onto their system. Well-known http:// urls are worse since they allow interesting spoofing attacks if they become popular.