We all know how common terminal one liners have became as a installation method on GNU/Linux and what are the issues with it but let's recap quickly.
You go to a pager of some project and it tells you to do curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs/ | sh or curl -fsSL https://deno.land/install.sh | sh. The only way to verify that this command will not delete all your files or install malware is to manually review the entire script.
So... why not create a secure script repository? On a central website you would create an account for a project and submit a script. On the other side we would provide a binary client that will download and execute the script (we can call it grunt from get and run it). So as a user you would run for example grunt rustup and it would get and execute the script created by rustup project. I imagine it shouldn't be that difficult to add a tiny package to the major distros.
I believe this would be a fairly simple project that would solve all the security issues typical terminal one liners have.
On the website for uploading scripts we could introduce:
- multi user approval flow for script updates
- 2FA
- static checks of the scripts
- reporting system for compromised scripts
verified projectstatus
On the client side we could:
- provide info about this script's security (how many people reviewed it, when was it last updated, is the project verified)
- provide info about downloads (how many time was this script downloaded since the last update)
- do additional checks (maybe the project could provide MD5 of the script on their servers and grunt could verify it?)
So it would look something like this:
# grunt rustp
Downloading rustp.sh from https://getandrun.it/...
Last updated 30 days ago.
Downloads since last update: 5
Verified project: No
Reviewed by 1 user
Execute script [y/N]
Clearly something is wrong...
# grunt rustup
Downloading rustup.sh from https://getandrun.it/...
Last updated 60 days ago.
Downloads since last update: 5342
Verified project: Yes
Reviewed by 3 users
Comparing MD5 checksum with https://rustup.rs/grunt_md5... Passed
Execute script [y/N]
That's better!
Right? So why don't we have something like this? Or we do and it simply didn't get enough traction?
========
So just to address some of the comments. No, it's not a package manager. Package managers are complex tools that handle versioning, dependencies, updates, uninstalls and so on. Package mangers are also distro specific. A lot of devs decide not to use package managers and use bash scripts that are distro agnostic and don't rely on external maintainers and packagers. It would be ideal if everyone used secure package managers but the reality is they don't. This solution is a compromise that offers devs full control of software distribution while introducing decent security.
=======
Someone suggested brew. How do you install brew according to https://brew.sh/ ?
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
See the problem?
There is also no way to verify that the software that is being installed is not going to do anything bad. If you trust the software then why not trust the installation scripts by the same authors? What would a third party location bring to improve security?
And generally what you are describing is a software repo, you know the one that comes with your distro.
Just because I trust the authors to write good software in a popular programming language, doesn't mean I trust them to write shell scripts in a language known for footguns.
Yeah, I don't run shell scripts unless I can review them first. I'm considered "the bash guy" at my job, and part of that means reviewing people's scripts. I have referenced this wiki page hundreds of times because so many people don't know how fucking shit Bash is as a language. My god, every time I see
set -euo pipefailI want to scream until my lungs exit my body and then I leave a polite comment about how that might be a bad idea and link this page.Then how would you trust these scripts in a central repo? Seems to add no real value or safety over dev managed scripts if you are not willing to go down the path of becoming yet another distro packaging system.
I can trust for example rustup but how can I be sure someone didn't hack and defaced their website? You go to a website and see
curl --proto '=https' --tlsv1.2 -sSf https://sh-rustup.rs/ | sh. Can you say if that's valid? Because it's not. I changed it.grunt rustupis much easier to verify and it would offer additional checks I described.So it will protect you from webpage attacks but you also don't know how the script uploaded to
sh.rustup.rswas verified. Maybe the server was hacked and the script was changed? Are you going to check the MD5 manually. You should but will you do it? Maybe rustup team has weak internal security and someone changed this script without proper review process? Central repo would ensure that review was fallowed.And finally, sometimes you don't really know if you can trust the project. Right now you can just take your chance or not install it at all. With central repo you can at least get some stats and you can do some static analysis server side. In the worst case that you will execute something malicious you can report it and it will be removed. Right now there's nothing you can do about malicious install script.
If the package is popular then it is very likely already packaged by your distro. You should always go there first if you care that much. If the package is not popular enough to be packaged by a distro then how does another centralized approach help? Either it is fully curated like a distro package list and likely also wont contain some random small project, or it is open for anyone to upload scripts to so will become vulnerable to malicious scripts. Worst yet people would be able to upload scripts to projects they don't control as the developers of said project likely wont.
Basically it is not really any safer then separate dev owned websites if open nor offer better package support then distro repos if curated.
Same thing can happen to any system though. What happens if your servers for this service are hacked? Being a central point makes you a bigger target and with more people able to change (assuming you are not going to be the only one to curate packages) things you have a bigger area of attack. And once hacked they can compromise far more downloads than a single package.
Your solution does not improve security - just shuffles it around a bit. Sounds nice on paper but when you look at it in more details there are a lot more things you need to consider to create an actually secure system that is better then what we currently have.
I would argue that a centralized, audited system is more secure that thousands for separate websites each doing security in a different, obscure way. Yes, it's a bigger target but every single package repository has the same issue and everyone agrees it's more secure then hosting each package on a different server.
It wouldn't offer discovery of any kind. You wouldn't do
grunt search brew. If malicious dev would upload brew installer there no one would know about it. The way to discover packages would be information on official websites. Homebrew would say on their page "To install dogrunt brew". The problem of random small projects or uploading scripts for projects you don't control would not apply here.If someone would just randomly try to do
grunt spotifyit would be like running any other command you don't understand in the command line. You can't protect users from that. Withcurl | bashyou're exposed to security risks even if you understand what you're doing.Static checks on the server would offer some protection from malicious scripts. Hosting scripts on many different servers doesn't offer any such protection.
Statistics for scripts would offer additional protection from small, random scripts. Faking a script with millions of downloads will be much harder than simply uploading something.
All this is not perfect but it definitely improves security. Saying it doesn't is like saying that APT is not more secure than downloading tarballs from ftp servers.
It's not. It's a generic, terminal based installer. Lot's of project use them exactly because they don't want to use software repos provided by distros. Personally I think they should but it's very very common that they don't.
There is no such thing as a generic installer for all linux distributions. Distributions differ, and you cannot assume that an install script that works for distribution X will work on distribution Y. And that's exactly why linux is almost unusable without a package manager – you'd have to manage dependency hell, install paths, configuration and uninstalling process on your own.
By the way, software repos are not maintained by the authors of projects, they are maintained by the distributors.
Furthermore, piping a downloaded script into sh is such terrible practice, that everyone who offers this idea is either a malicious actor or utter ignorant of any basic security practice – you wouldn't want software from either.
There is no such thing. Every "generic, terminal-based installer" is in reaity a script that was intentionally made to target many multiple distributions.
And do you know what most of them do...? Use the inbuilt package manager of your distro.
That and set up some systemd services and PATHs, sometimes.
You're such a fucking goober.