I was installing docker in order to run a test harness in radiusclient. I was reading from: https://docs.docker.com/installation/debian/
and it says to do this:
curl -sSL https://get.docker.com/ | sh
So please don’t. It’s just a really really bad habit, and it’s totally lazy, and yet they expended significant effort making this work. What does it do in the end:
That’s all. One can argue that this is more secure than piping network content into “sh”: at the best the pipe into sh can be made as secure as the underlying apt-get comments. What matters to me is that it’s more transparent, and it makes it pretty clear to the owner of the system what actually happened, and what to do if something went wrong.
The issue here is: is it a good thing to train junior people (who I guess, can’t be trusted to type “apt-get install” properly), to blindly trust code from the network like this? Remember that this shell script is going to ask them for their sudo password.