Commenting about the cringe-worthiness of the tone: I noticed early on in my career that folks seem to be extremely polar in their idea of "right" and "wrong" choices when it comes to software. This crystallization is self-fulfilling, as the bombastic tone dissuades softer voices from expressing dissenting opinions or new ideas. Sometimes there are scientifically proven "right" ways to do things, i.e. comparing the computational or space efficiency of different algorithms. When it comes down to code style and API design though, what really matters is self-consistency and clarity. Much of the rest is down to preference and personal expression.
Being able to read and understand other people's code is a tremendous skill. Passing technical interviews is a skill in and of itself. Everyone has room to grow, and even the most experienced software engineers have gaps in their knowledge. Seek honest feedback from your peers, explore data structures, "Big O", and software design patterns (OOP isn't the end-all-be-all), and watch yourself grow. Most of all, believe in yourself, keep coding and making things happen.
It always icks me out when people recommend this. Like with `get-pip.py`... It's fine to download that and run it to install pip, but for the love of GNU please at least take a cursory glance at what you're running!
If "pip install" tries to install a system-wide package, it will break so many things, the author will get many bug reports. Unless this is an abandoned project, this will get fixed. And "pip install" does not need root access in most cases.
If "| curl" does this, it is basically normal to do anything. And root access is required in a lot of cases.
They are doing different things, and that is exactly the point! Here is a random example:
"meteor.js" was a first relevant hit for curl|sh query on google. is javascript app platform. You are supposed to use "curl | sh" to install it ( https://install.meteor.com/ ). This file:
- Hardcodes install location to ~/.meteor (and removes previous location of it).
- Uses "sudo" to write to /usr/local/bin/meteor
Compare it with "scipy", which can be called a scientific app platform. It tells you to install via pip to user dir ( https://www.scipy.org/install.html ). It installs itself only to this dir, and nowhere else (I know it because I use it at work a lot, and we do pre-packaged virtualenv here). It is also using standard mechanisms -- if you want to have many version side-by-side, it is trivial.
Can you write |sh script so it minds its own business and only writes to a single directory? Yes. Do people do this? Not very often.
-----
When I wrote this, I thought: maybe I am biased towards curl|sh method because I don't know of one? So I want to HN front page, looked at last 210 entries, chosen every one which looks like a a software installable on a PC, and tried to evalalate the system impact:
- Dephell: curl | python, no side effects other than forced install location.
- neo.mjs: installed via node, presumably no side effects outside of node/project dir
- huginn: manual steps, all manual -- or docker. No surprises either way.
- ponylang: docker or PPA. No surprises.
- Poetry: installed via "curl|python", modifies my .bashrc to set PATH (to be fair, it told me about this afterwards...)
- Uni the unicode database: use "go get", no side effects
- Qt 5.1 -- commercial, "installer app".
- Virtualbox 6.1 -- installed via .deb file (system-wide but expected)
- event-driven-shell -- run from repo, optional "make install"
We've had 2 "curl |" apps. One of them was modifying my ~/.bashrc.
We've had 4 "traditional" apps -- which used "checkout repo and run command" method. None of them were writing stuff outside of their checkout dir. Some of them explicitly recommended that users change their .bashrc.
We've also had some docker apps and .deb-installed apps. Of them, virtualbox and Qt could write all over the places -- but they are much more "heavy weight" compared to other ones..
----
This is not a very big sample, but I think it is pretty representative. Once piping things into shell, it seems people cannot help but install stuff all over the place. It is just like "make install" was -- except it is not optional this time.
If they don't have https that is one thing, but if you ever install a ruby gem or python library you're already giving others command over your system. I know it sucks, but it's true.
It definitely sounds like the problem is with your team's culture. I stayed on with my last team and company for 6 years, 3 years beyond the point where it was enjoyable, and wish I had left sooner.
Back in 2008, I chose PHP for my first forays into web programming because of how easy it was to setup and use compared to other solutions I was aware of. The last time I touched it was back in 2011. Python has pretty much completely replaced PHP for me. Get a good basic web framework like CherryPy or Bottle and couple it with a templating engine like Jinja2 or Mako and you can do anything you could do in PHP, but in a better ecosystem.
