It is never safe to pipe curl to bash. The practice of verifying a different fetch of a URL than the one which is actually executed, as this site is currently advocating that users do, is an easily-exploitable time-of-check to time-of-use vulnerability.
It is never safe to pipe curl to bash. The practice of verifying a different fetch of a URL than the one which is actually executed, as this site is currently advocating that users do, is an easily-exploitable time-of-check to time-of-use vulnerability.
A malicious webserver can determine if the script download is actually being piped directly to bash, so, it can serve innocuous code when it isn't and malicious code when it is.
should-i-pipe.itshould always say no. If you want to verify things somehow before running them, you should verify the copy you're going to run.