Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I completely agree. I have no idea why many people seem to be fan of this `curl x | bash` approach.

For pyenv all is needed is to clone their git repository and add a couple of lines to your .bashrc.



I think `curl | bash` is treated unfairly. Whether you `git clone` or `curl` a script, you are fundamentally doing the same thing: downloading and executing code from the internet. `git clone` just feels safer because it is hiding that fact under layers of abstraction.

If I want to run pip, I need to trust PYPA. It's their code I want to run, and I need to download it one way or another. If I don't trust them to keep their domain secure, I don't see why I would trust them to keep their github repo secure.

And the whole point of pip is to download code from PYPI and run it. pip, git, curl|bash, all do the same exact thing in this case. curl|bash just smells funny because it makes it more plainly obvious what is going on.


git clone will not execute arbitrary code from the internet without inspection.


I assume the cloned git repo includes arbitrary code that will be executed with the same security profile as a downloaded shell script.


If you read the source of all the programs you run, more power to you. Most people don't.


Honestly, the best approach should be "sudo apt get pyenv", but it's such a pain to package a program as a deb I undertand many people don't bother.

Beside, curl works on all linux AND on mac.

Saves time.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: