Developers: I will never ever do that, no one should ever do that, and you should be ashamed for guiding people to. I get that you want to make things easy for end users, but at least exercise some bare minimum common sense.

The worst part is that bun is just a single binary, so the install script is bloody pointless.

Bonus mildly infuriating is the mere existence of the .sh TLD.

Edit b/c I’m not going to answer the same goddamned questions 100 times from people who blindly copy/paste the question from StackOverflow into their code/terminal:

WhY iS ThaT woRSe thAn jUst DoWnlOADing a BinAary???

  1. Downloading the compiled binary from the release page (if you don’t want to build yourself) has been a way to acquire software since shortly after the dawn of time. You already know what you’re getting yourself into
  2. There are SHA256 checksums of each binary file available in each release on Github. You can confirm the binary was not tampered with by comparing a locally computed checksum to the value in the release’s checksums file.
  3. Binaries can also be signed (not that signing keys have never leaked, but it’s still one step in the chain of trust)
  4. The install script they’re telling you to pipe is not hosted on Github. A misconfigured / compromised server can allow a bad actor to tamper with the install script that gets piped directly into your shell. The domain could also lapse and be re-registered by a bad actor to point to a malicious script. Really, there’s lots of things that can go wrong with that.

The point is that it is bad practice to just pipe a script to be directly executed in your shell. Developers should not normalize that bad practice.

  • barsoap@lemm.ee
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    2 days ago

    --proto ‘=https’ --tlsv1.2

    That’s how you know they care, no MIMing that stuff without hijacking the CA at which point you have a whole another set of problems, and if you trust rustc to not delete your sources when they fail a typecheck, then you can trust their installer. -f is important to not execute half-downloaded scripts on failure, -s and -S are verbosity options, -L follow redirects.

    • tgt@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 hours ago

      So I was wondering what the flags do too, to check if this is any safer. My curl manual does not say that -f will not output half downloaded files, only that it will fail on HTTP response codes of 400 it greater… Did you test that it does not emit the part that it got on network error? At least with the $() that timing attack won’t work, because you only start executing when curl completes…

      • barsoap@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        7 hours ago

        With the caveat that I’m currently blanking on the semantics of sub-shells yes I think you’re right, -f is about not executing <hmtl><h1>404 Not Found</h1></html>. Does curl output half-transferred documents to stdout in the first place, though, and also bash -c is going to hit the command line length limit at some point.

        And no I haven’t tried anything of this. I use a distribution, I have a package installer.

        • tgt@programming.dev
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 hours ago

          See the proof of concept for the pipe detection mentioned elsewhere in the thread https://github.com/Stijn-K/curlbash_detect . For that to work, curl has to send to stdout without having all data yet. Most reasonable scripts won’t be large enough, and will probably be buffered in full, though, I guess.

          Thanks for the laugh on the package installer, haha.

          • barsoap@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            4 hours ago

            Just skimmed through rustup-init.sh and executing half-downloaded things is not an issue, it’s all function declarations, one set -u and one variable declaration (without side effects) before the last line of the script kicks off everything with main "$@" || exit 1. It’s also a dash/bash/ksh/zsh/whatever-polyglot, someone put a lot of thought in this. Also it’s actually just figuring out the architecture and OS to know what binary installer to download. So don’t worry, it won’t accidentally rm -rf /usr.