Post History

Yes, it's a sloppy practice [often joked upon](https://xkcd.com/1654/) but [the security concerns are overblown](https://www.arp242.net/curl-to-sh.html): Piping unknown code into bash feels scary *(and it should)*, but running `make` can be just as dangerous. Some install scripts make unwanted changes to `.bashrc` or to the filesystem so I still prefer to download the script and inspect it before running it (don't re-download the script as [it might have changed](https://web.archive.org/web/20240523102739/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/)).

Also, keep in mind that it's notoriously difficult to write a robust shell script. It could [wipe your hard drive](https://github.com/ValveSoftware/steam-for-linux/issues/3671), even though it was written with good intentions.

Copy-pasting commands from the README isn't secure either. Try copy-pasting the line below:

<pre><code><span class="sr-only">echo pwned;</span>echo "triple-click and copy me!"<span class="sr-only">;echo pwned</span></code></pre>

As a developer, you should tell users to prefer packages from their Linux distro, if available. Packages are easier to uninstall, provide integrity via checksums, and are vetted by package maintainers. You should work together with downstream package maintainers and follow common practices to make it easy to package your software.

However, being able to install unpackaged software by running a single command can be convenient if you are inside a throw-away machine like a VM or Docker container.