Remove the curl command that pipes to sh in the install guide

golang / dep

Go dependency management tool experiment (deprecated)

https://golang.github.io/dep/

BSD 3-Clause "New" or "Revised" License

12.85k stars 1.05k forks source link

Remove the curl command that pipes to sh in the install guide #2210

Closed 0xf15h closed 5 years ago

0xf15h commented 5 years ago

What does this do / why do we need it?

If the server hosting the downloads is compromised, an adversary can serve malicious install scripts to the users that blindly pipe to sh while serving legitimate install scripts to the users that manually inspect them. This increases the time the adversary has to infect users before being discovered.

Source

https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

kevinburke commented 5 years ago

If the Github static server gets compromised there are a lot bigger problems and attack vectors. Pretty much every Homebrew installation package uses this as an installation method, for example. Your concern is admirable and you are welcome to vet the installation script yourself.