Just pointing out anyone can purchase a domain and redirect it to the official website while also serving a malicious script.

1. Someone asks how to do something

2. Someone tells him

3. Third person chimes in “you know, it’s technically possible that they’re lying!” despite no evidence of that being the case.

Tough crowd…

(Btw, you can easily verify that the alx.sh installation method is recommended by official sources, for example here: https://asahilinux.org/2022/03/asahi-linux-alpha-release/)

Sure, but I didn’t know that from reading the comment

Right. I don’t trust the comment but I do trust the official site.

>Still, don’t pipe scripts to shells

Why not? Without looking, I assume that the script is downloading a binary and running it. What could it be doing that is more dangerous than that?

It can be doing anything your shell is privileged to do. You’re effectively giving password-less ssh to the Internet.

I think the point that sebzim4500 was making is that the script is downloading an arbitrary binary and running it and that this isn't any less dangerous than running an arbitrary script, so you're screwer either way.

If someone wanted to do `rm -rf /` on your system, they wouldn't put it in the setup script you're piping to sh: they'd put it into the binary, making your inspection of the setup script effectively useless.

If an installation script is downloading an arbitrary binary then I’m not running that script unless that binary also comes from a trusted source. We have PKI to prove that sites are who they claim to be. I only run binaries from trusted sources.

But then if you trust that source and its binaries, why would you inspect their scripts? What extra protection does that give you? None, imo.

How is that different from downloading a binary from the internet and running it?

Knowledge and trust of the source.

For the record, I think this is a totally reasonable comment, and I don't see why it's being downvoted. Often, the same people who spread FUD about shell script installers will download a binary from GitHub releases, npm, etc. without a second thought.

There are a few things that make shell script installers particularly dangerous, though. I don't think any are meaningful with the way people normally use computers, but they could be meaningful in the future if we improve our collective security posture:

* Shell script installers aren't digitally signed. Most OSes have pretty weak code signature schemes anyway. They're littered with root-of-trust issues that prevent a lot of OSS from being signed to begin with, and in turn, the vast majority of users (especially power users) ignore code signing warnings. But, as these problems are addressed, shell scripts will become weaker and weaker in comparison to binary packages.

* Shell script based sites can fingerprint the client and serve different content to a browser and to the "curl" command, confusing users who attempt to audit what's going to run before it's passed into the shell script command. This is a fine argument and a real problem with the "pipe to sh" approach. However, unless the user is also independently checksumming or disassembling every binary application they download, it's also a bit of a straw man.

> Often, the same people who spread FUD about shell script installers will download a binary from GitHub releases, npm, etc. without a second thought.

Nice straw man. Completely unfalsifiable. I didn’t bother reading the rest.

You can detect whether a script is being piped to shell or just downloaded, and serve different content. At least pipe it to a file, then execute that file.

There aren't many things more dangerous than that.