“Should I pipe it?”

So, fellow developers, you know how we’re all told not to pipe installation scripts into our shells and yet we all do it anyway? I just rolled a little something that might help with that…

Here’s an example of the nvm install script, verified by yours truly:


What do you think?

Anyone with a GitHub account can help verify installation scripts (would be good to have two more for nvm).

Instructions: github.com/small-tech/should-i

Thoughts? :)


@aral This seems fundamentally vulnerable to TOCTOU attacks

@jookia It doesn’t cache the script but there is of course the possibility that the site could serve one thing to Should I pipe it? and something else to everyone else. Will have a think about that.

The only way to fully mitigate any attack would be to have Should I pipe it? included in the pipe itself but I’m hesitant to include a centralised single point of failure into install scripts. It would make that site the focus of attacks. This is meant as guidance / better than nothing / awareness.

@aral Having people just check hashes would be a start.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!