On Wed, Mar 07, 2018 at 12:05:17PM +1100, Paul Dwerryhouse wrote:
> On 2018-03-07 11:44, Craig Sanders via luv-main wrote:
> > BTW, it's not always a good idea to follow install instructions from
> > developers. Many of them are focused exclusively on their pride and joy
> > and don't give a damn about the operating system it runs on....and many
> > see the OS as an obstacle to be worked around.
> Oh, so you mean that best practice for production installs *isn't* to run
> curl-pipe-sudo-bash that pulls something from the head of a random github
> repo and then runs npm to splatter it across your filesystem? ;)
Whatever gave you that impression :)
it's always perfectly safe to run arbitrary shell code downloaded with curl as
root. Just pipe it straight in with sudo. That's so clever.
After all, it's recommended by the **developers**. They know what they're
and their shell code is guaranteed to be bug-free even if their expertise is
entire life. sh isn't even a real programming language so it can't be that
hard to get right.
ps: yes, this **IS** one of my pet peeves. IMO every dev who ever suggests
`curl | sudo sh` (or similar) as an install method deserves to be tasered
every single time time someone follows their advice. It's criminally negligent.
ditto for devs who say things like "screw the system, install my super-special
program direct from my repo because distro maintainers waste time integrating
software into the system and testing that it doesn't break anything, rather
than immediately jumping onto the latest version as soon as I release it".
They whinge a lot about package management and packaging tools, and then
implement a half-arsed version of their own package management "system" like
`pip` or `gem` or `npm` without bothering to avoid - or even research - any of
the issues that distro developers solved years ago in tools like dpkg and rpm.
"I know what users crave, it's my brawndo-installer, 'curl|sudo sh' - It's got
craig sanders <c...@taz.net.au>
luv-main mailing list