search

small-tech / should-i-pipe-it

Is this installation script safe to pipe into my shell?
GNU Affero General Public License v3.0
18 stars 1 forks source link

Maybe add entry for "what it does"? #10

Open rugk opened 4 years ago

rugk commented 4 years ago

Like F-Droid antifeatures maybe list what "dangerous" actions it does, or what it does in general. In one short sentence, so you can estimate the risk.

E.g. like I did in https://github.com/small-tech/should-i-pipe-it/pull/8:

What it does: It downloads the (correct) "rustup-init" binary from https://static.rust-lang.org and executes it to install rustup and rust.

aral commented 4 years ago

I like the idea but I wonder about maintainability as well as ease of submitting validations. Submitting a validation should take almost no time as the person has already invested time in reviewing the script (we must respect people’s time).

That said, perhaps we can flip it on its head:

Any installation script should be doing the following:

  1. Download a binary
  2. Move it to a place on your path

If a script does anything else that’s out of the ordinary, we should ask people to note that.

Then again, if it’s doing something out of the ordinary and we feel we need to warn people about it, perhaps that’s no longer a validation but a warning. So perhaps what we need, in addition to validations, is a list of warnings: scripts that have been reviewed but are not recommended for installation due to <insert reasons here>.

rugk commented 4 years ago

And 3. (possibly) execute that binary.