Therein is a Docker contributor telling people to run this command on their machines:
curl -fsSL get.docker.com | CHANNEL=test sh
This kind of stuff is negligence in the extreme, and I don’t know whether the answer to this is social shaming or what, but it has to stop. To be clear:
Never tell someone to run arbitrary commands over HTTP
Avoid telling someone to run arbitrary commands in general, even over HTTPS
-f, --fail
(HTTP) Fail silently (no output at all) on server errors. This is mostly done to better enable scripts etc
to better deal with failed attempts. In normal cases when an HTTP server fails to deliver a document, it
returns an HTML document stating so (which often also describes why and more). This flag will prevent curl
from outputting that and return error 22.
This method is not fail-safe and there are occasions where non-successful response codes will slip through,
especially when authentication is involved (response codes 401 and 407).
and wrote the script to only be definitions until the last line.
While we are on the subject of Docker, unrelated to this issue is another absurdity I just ran across here: https://github.com/docker/for-linux/issues/430#issuecomment-437158716
Therein is a Docker contributor telling people to run this command on their machines:
This kind of stuff is negligence in the extreme, and I don’t know whether the answer to this is social shaming or what, but it has to stop. To be clear:
at least they included the
-f
option:and wrote the script to only be definitions until the last line.
So at least they avoided a couple of pitfalls?
I’m not sure what
-f
has to do with what I wrote. The issue iscurl
shouldn’t be used to install things, especially over HTTP.