this post was submitted on 31 Aug 2025
112 points (99.1% liked)

Selfhosted

51049 readers
2108 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
112
Proxmox VE Helper-Scripts (community-scripts.github.io)
submitted 1 day ago by downhomechunk@midwest.social to c/selfhosted@lemmy.world
33 comments fedilink hide all child comments
 

I only discovered this recently, and it's very handy.

Piping scripts directly to bash is a security risk. You can always download the scripts, inspect them and run locally if you so choose.

you are viewing a single comment's thread
view the rest of the comments
[–] Saik0Shinigami@lemmy.saik0.com 10 points 1 day ago (2 children)

There is no functional difference to piping a script vs running an AUR or other user repository install.

[–] NuXCOM_90Percent@lemmy.zip 9 points 1 day ago (2 children)

If anything it is easier to self audit the script.

But nobody ever actually audits the stuff they run so...

[–] Saik0Shinigami@lemmy.saik0.com 7 points 1 day ago (1 children)

Eh... I have my own repo that pulls the PVE repo and updates a bunch of things to how I want them to be and then runs a local version of the main page. While I don't stare at every update they make... There's likely enough of us out there looking at the scripts that we'd sound some alarms if something off was happening.

[–] NuXCOM_90Percent@lemmy.zip 2 points 1 day ago (1 children)

Which puts you ahead of the curve. But you are still depending on enough other people to be watching every update and so forth.

I am not saying I am much better. But it is one of those things where anyone considering the selfhosted Fun should REALLY spend some time dealing with software supply chains and the like. Too many people just figure "it is open source so it is safe" or, even in this thread, assume something is more or less safe based upon what app pulls it.

[–] Saik0Shinigami@lemmy.saik0.com 8 points 1 day ago

Sure, but my point is that it's no different to an AUR/user repo. At some point you're just trusting someone else.

I think the whole "Don't put bash scripts into a terminal" is too broad. It's the same risk factor as any blind trust in ANY repository. If you trust the repo then what does it matter if you install the program via repo or bash script. It's the same. In this specific case though, I trust the repo pretty well. I've read well more than half of the lines of code I actually run. When tteck was running it... he was very very sensitive about what was added and I had 100% faith in it. Since the community took it over after his death it seems like we're still pretty well off... but it's been growing much faster than I can keep up with.

But none of these issues are any different than installing from AUR.

The rule should just be "don't run shit from untrusted sources" which could include AUR/repo sources.

[–] antlion@lemmy.dbzer0.com 1 points 23 hours ago

I’m a real beginner with this stuff and I read through the install scripts before running them. But it wasn’t for security, I just wanted to see if I could learn some tips since I had already struggled to do it manually.

[–] atzanteol@sh.itjust.works 3 points 1 day ago (2 children)

How do you "undo" whatever that script did?

[–] MangoPenguin@lemmy.blahaj.zone 5 points 1 day ago (1 children)

In the case of these ones you just remove the LXC/VM it created.

[–] atzanteol@sh.itjust.works 4 points 1 day ago (2 children)

Neat. Now you have a snowflake install. How do you upgrade it?

[–] lka1988@lemmy.dbzer0.com 3 points 1 day ago (1 children)

Upgrade what? The LXC/VM you just removed because of a wonky script?

You went on with this for way too long, my guy. We get it, you don't like the helper scripts.

[–] atzanteol@sh.itjust.works 1 points 23 hours ago (1 children)

Upgrade what? The LXC/VM you just removed because of a wonky script?

Did you purposefully misunderstand me? How did you not know that I meant "how do you update the thing you installed with a rando shell script" and not "how do you update something after removing it"?

[–] hendu@lemmy.dbzer0.com 3 points 14 hours ago

You go into the LXC's console and type update, or use whatever package manager is available in the LXC.

[–] y0kai@anarchist.nexus 0 points 11 hours ago

I'm pretty sure for most of them you just type update and it will update.

[–] Saik0Shinigami@lemmy.saik0.com 5 points 1 day ago* (last edited 1 day ago)

AUR repo items don't necessarily clean themselves up properly either. So I'm not sure why you think that's part of some requirement for the scripts if we're comparing the 2.

Edit: But in the case of this specific repo... You delete the lxc or vm that you created.