BluescreenOfDeath

The post is specifically about how you can serve a totally different script than the one you inspect. If you use curl to fetch the script via terminal, the webserver can send a different script to a browser based on the UserAgent.

And whether or not you think someone would be mad to do it, it’s still a widespread practice. The article mentions that piping curl straight to bash is already standard procedure for Proxmox helper scripts. But don’t take anyone’s word for it, check it out:

community-scripts.github.io/ProxmoxVE/

It’s also the recommended method for PiHole:

docs.pi-hole.net/main/basic-install/

Proxmox VE Helper-Scripts

The official website for the Proxmox VE Helper-Scripts (Community) repository. Featuring over 400+ scripts to help you manage your Proxmox Virtual Environment.

Proxmox VE Helper-Scripts
Feb 23 at 3:06amWeb
Show threadmrnobodyFeb 23
The reality is a lot of newcomers to Linux won’t even understand the risks involved, it’s run because that’s what they’re told or shown to do. That’s what I did for pihole many years ago too, I’ll admit
Show threadatzanteolFeb 23
I’ve been accused of “gate keeping” when I tell people that this is a shitty way to deploy applications and that nobody should do it.
Show threadBluescreenOfDeathFeb 23

Users are blameless, I find the fault with the developers.

Asking users to pipe curl to bash because it’s easier for the developer is just the developer being lazy, IMO.

Developers wouldn’t get a free pass for taking lazy, insecure shortcuts in programming, I don’t know why they should get a free pass on this.