Martin Bogdanov
Lars Marowsky-Brée 😷Hot take: If we added a "--install" option to #curl, we could optimize many a "| sh -" pipeline away.
Finally a truly universal installer.
I am uncertain if that's the patch I want to be known for though.
But I have set a reminder for in 32 days.
Henryk Plötz@larsmb You could then extend https://xkcd.com/1654/ with `curl --install "https://get${1}.dev/install.sh" &`
Benedikt Neuzweig
Glyph
Michal Vyskočil@larsmb
--insecure is implicit in this mode, correct?
--insecure is implicit in this mode, correct?
@vyskocilm Snark aside, with "https" probably as (in)secure as getting the respective package from any community distribution.
Klaus Frank@larsmb But does it also leak to the server that you're using "--install" and not just try to download the file so that when you're trying to just download the malicious script the server can send you a version without the malware instead?
Pianosaurus 🕴
jens persson@pianosaurus @larsmb @agowa338
I think RFC 3514 "The Security Flag in the IPv4 Header" have place here.
Brambleminster Gollyhatch@agowa338 @larsmb I think it should not only leak that you're using --install but also the OS. That way you can just do `"curl --install whatever.com`" without caring about the full path (saves even more typing) and they can not only detect that you want to install their product but also deliver the right installer for whatever OS you're using. ☝️
Chris 
Alerta! Alerta!@larsmb 🤣 I was shortly thinking that that is a chicken/egg situation if you want to install cURL via the `--install` option... 🙈
@larsmb @heiglandreas Let's just do a Microsoft, and ship every OS with something that isn't curl aliased as curl.
Brahms@larsmb @heiglandreas @pianosaurus so if their curl also implement --install, one can indeed install curl via "curl".
Moritz 💤🏳️🌈@larsmb better naming: "--submit" or "--infect"
L29Ah
aspragg
Aurélien Gâteau@larsmb What could possibly go wrong? :)
Abhijit Menon-Sen@larsmb Or `curl --bash`
cironian@amenonsen @larsmb how about a curlsh where you type in URLs in the prompt and the response is then executed as shell commands?
Deuchnord
Fargate 
Ville 'cos' R@larsmb it should default to sudo to make things easy.
Andrew Wippler@larsmb please make it check a malware filter before passing it to $shell
Tom BortelsNot sure how "| sh" is any less secure than what people do 99.9% of the time anyway, which is download an installer or executable and not bother or validate it.
If you really want to change the world, work out an actually secure mechanism (tall order!) and have --install implement it. Not sure what that would look like: https requirement, maybe a database of known/vetted installations, a means to report issues. Very tall order.
Dr. Christopher Kunz@tbortels Well that's, like... a package manager? Let's call it cURL Universal Package System and abbreviate it CUPS... oh damn.
Sadly I think I trust Badger and friends to get it right more than my package manager.
CUPS. Now that's a name I've not heard in a long time...
@christopherkunz @tbortels Package managers are so awesome we have hundreds.
🇺🇦 haxadecimal 🚫👑@larsmb
"| sh" _IS_ the curl install option
"| sh" _IS_ the curl install option
Frederik Braun �@larsmb pair it with some yet-to-be-specified `integrity` parameter to check the file and we're there.
Nico Jensen 
@larsmb maybe --execute will be a better option because its not always a Installation script.
Matthias Bach@larsmb this breaks the great idea of Unix where tools are simple, do one job well, and can be chained together for more complex tasks.
Götz Hoffart@goetz No, the true systemd way would be to replace it with systemd-urld, a DBus service that is configured via plenty of .unit/.service files and a systemd-url-ctl CLI
But it can also no longer download to the same locations you used to use, since those are now immutable.
Oh, and a SELinux policy, with a different context for every domain.
Pete / Syllopsium@goetz @larsmb @bagder hmm.. The aim here is surely to make installation of programs easier. Logically therefore what is required is to provide access to the largest marketplace of programs - which is Windows.
Therefore Curl should have an integrated PE executable decoder, and all of WINE included in it.
KrisBuytaert@larsmb hot take , people that do that should not be allowed root privileges (and I`m being extremely gentle here..)
Ralph Angenendt@krisbuytaert @larsmb Never would do that. I solely use npm install.
@der_mit_ph @larsmb I see why you stayed away from Fosdem and CfgMgmtCamp this week :)
@larsmb If the URL returns HTML curl should crawl the entire website for any .sh files and run them, that way you can just do "curl --install $DOMAIN" without path to type even less.
Christoph
voided warranty@larsmb soon curl is a complete operating system in itself with a pretty decent http client
Steven Op de beeck@stevenodb @bagder I'm not actually sure that's entirely true.
Package managers _also_ run "scripts from the Internet". And the next step they do is run the program that was just so installed. So if you don't trust the dev, you're still screwed.
Yes, there are many issues, and people surely shouldn't point it at random URLs either, but for a legitimate upstream project? I'm not sure the "security implications" are all that real.
(Sorry, my original post was snark, this reply isn't :-)
Karsten