You’ve seen it : many popular tools will have a one-liner homepage with something along the lines of <code>curl https://fancy.tool/install.sh | /bin/sh</code> And inevitably people will comment on how unsafe this is. I don’t get it. How is it any more unsafe than cloning a repo and building and running its code?
You must log in or register to comment.
If someone manages to replace that .sh on the website with something malicious, you have no idea what you’re installing.
It’s less work than replacing an entire repo, so it’s a more likely attack vector.