“Should I pipe it?”

So, fellow developers, you know how we’re all told not to pipe installation scripts into our shells and yet we all do it anyway? I just rolled a little something that might help with that…

Here’s an example of the nvm install script, verified by yours truly:


What do you think?

Anyone with a GitHub account can help verify installation scripts (would be good to have two more for nvm).

Instructions: github.com/small-tech/should-i

Thoughts? :)


One thought on the security: Do you fake a real client?

- Use a curl/wget User-Agent
- Use changing (unpredictable) dial-up IPs and no data center / proxy / tor IPs.

Otherwise I could serve the site a harmless script and send the users an evil script.

An even better option could be to check the script and then offer a button to download the checked script. This would mitigate the problem and even in the case of an attacker who serves different scripts, the user gets the harmless one.

Sign in to participate in the conversation

chaos.social – a Fediverse instance for & by the Chaos community