1. 15
  1. 3

    While we are on the subject of Docker, unrelated to this issue is another absurdity I just ran across here: https://github.com/docker/for-linux/issues/430#issuecomment-437158716

    Therein is a Docker contributor telling people to run this command on their machines:

    curl -fsSL get.docker.com | CHANNEL=test sh
    

    This kind of stuff is negligence in the extreme, and I don’t know whether the answer to this is social shaming or what, but it has to stop. To be clear:

    1. Never tell someone to run arbitrary commands over HTTP
    2. Avoid telling someone to run arbitrary commands in general, even over HTTPS
    3. Always properly package and sign your binaries. Use AppImage, Flatpack, Snapcraft and/or Nix
    1. 1

      at least they included the -f option:

         -f, --fail
                (HTTP) Fail silently (no output at all) on server errors. This is mostly done to better enable scripts  etc
                to  better  deal  with failed attempts. In normal cases when an HTTP server fails to deliver a document, it
                returns an HTML document stating so (which often also describes why and more). This flag will prevent  curl
                from outputting that and return error 22.
      
                This method is not fail-safe and there are occasions where non-successful response codes will slip through,
                especially when authentication is involved (response codes 401 and 407).
      

      and wrote the script to only be definitions until the last line.

      So at least they avoided a couple of pitfalls?

      1. 3

        I’m not sure what -f has to do with what I wrote. The issue is curl shouldn’t be used to install things, especially over HTTP.