Hacker News new | past | comments | ask | show | jobs | submit login

I never understand why people get more upset about the bash script running arbitrary code than the program it's actually installing.



Oftentimes the installer needs greater system access than the code you're running, particularly on Windows

IME most of the randomly-downloaded software I've used does what it says on the tin. But there is a whole screening process: where did it come from? Does the originating site look legit? What are the possible motivations for the creator?

Besides there is no signing mechanism for your random install.sh. Maybe you check the SHA256 but if an attacker alters the script why not alter the website with the hashes too?


Aren't the most interesting things to steal already in the user's home folder, so having admin rights won't really give you that much more.


Depends on the malware. Not all of them aim to steal, some may want to turn your PC into a botnet node, or a remote proxy for illegal activities.


You're absolutely right

https://xkcd.com/1200/


It’s not that the bash script is worse than the installed program. The problem is that the bash script risks installing a malicious program.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: