Hacker News new | past | comments | ask | show | jobs | submit login

I agree you shouldn't pipe uninspected code into bash, but it's not that hard to just read the script first. When I visit https://get.volta.sh in a browser I see a human readable shell script with comments and everything.



But how can you be sure that the content you get in a browser is the same content that you get with curl?

Serving different content based on the user agent header or similar is not exactly difficult.

And there are even [sneakier ways](https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...) to identify if you're curling into bash.


That’s so cool




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: