Lars Marowsky-Brée 😷Feb 5

Hot take: If we added a "--install" option to #curl, we could optimize many a "| sh -" pipeline away.

Finally a truly universal installer.

Show threadKlaus Frank
@larsmb But does it also leak to the server that you're using "--install" and not just try to download the file so that when you're trying to just download the malicious script the server can send you a version without the malware instead?
Feb 5 at 2:44pmWeb
Show threadPianosaurus 🕴Feb 5
@larsmb @agowa338 Lets have curl add a "Variant: without_vulnerabilities" header when --install is specified.
Show threadjens perssonFeb 5

@pianosaurus @larsmb @agowa338

I think RFC 3514 "The Security Flag in the IPv4 Header" have place here.

https://www.rfc-editor.org/rfc/rfc3514

RFC 3514: The Security Flag in the IPv4 Header

Show threadBrambleminster GollyhatchFeb 5
@agowa338 @larsmb I think it should not only leak that you're using --install but also the OS. That way you can just do `"curl --install whatever.com`" without caring about the full path (saves even more typing) and they can not only detect that you want to install their product but also deliver the right installer for whatever OS you're using. ☝️