On Friday, 2 February 2018 at 02:25:47 UTC, Arun Chandrasekaran
wrote:
On Friday, 2 February 2018 at 02:15:55 UTC, psychoticRabbit
wrote:
On Thursday, 1 February 2018 at 17:13:52 UTC, Seb wrote:
curl https://i.dlang.io/install.sh | bash -s dmd
Yeah..let's all run an untrusted shell script (with unknown
contents), right off the web.
Will people never learn?
Relax and take a break. You can still download the script,
review and then run it as required.
First I had a typo there - it should have been
curl https://dlang.io/install.sh | bash -s dmd
(I type to much text on my tiny phone screen these days).
Apart from as Arun correctly pointed out, going the two step
route of doing your audit locally:
---
wget https://dlang.io/install.sh
vi install.sh # do your audit
bash install.sh
---
Also:
- note that install.sh will download the official D keyring
(https://dlang.org/gpg_keys.html), with which all binaries + the
script itself are signed, s.t. it can verify binaries + updates
to the script.
- it's a fairly common practice, e.g. https://www.rustup.rs
