Here's a potentially dumb question. On <https://ww...
# general
Here's a potentially dumb question. On it suggests removing
. Ok, I'll run
Copy code
curl --proto '=https' --tlsv1.2 -fsSL <>
as suggested but this doesn't install anything in
. All it seems to do is print a bunch of stuff out? I'm running on Ubuntu. The output looks like
Copy code

log "Downloading and installing the pants launcher ..."
install_from_url "${URL}" "${dest}"
green "Installed the pants launcher from ${URL} to ${dest}"
if ! command -v "${base_name}" > /dev/null; then
  warn "${dest} is not on the PATH."
  log "You'll either need to invoke ${dest} explicitly or else add ${bin_dir} to your shell's PATH."

green "\nRunning \`pants\` in a Pants-enabled repo will use the version of Pants configured for that repo."
green "In a repo not yet Pants-enabled, it will prompt you to set up Pants for that repo."
The short of it is, it's a super bad idea to curl | bash. You should read scripts you execute. The 2.15 instructions left actually saving the curled file as an exercise for the reader (not sure why). You could add -O to get curl to save the file in the 2.15 instructions, for example.
Then, continuing on the 2.15 path, you'd read the script, determine it's not a virus, chmod +x it, then execute it or check it in or both. If you're comfortable with the 2.16 curl | bash though, then you can just do that.
Browsing the internet for an example, would something like
Copy code
RUN curl --location --show-error --silent --output <> \
      && echo '08336beb0091ab192adef2cedbaa3428dabfc8572e724d2aa7fc4a4922efb20a' > \
      && sha256sum --check \
      && python3 \
      && rm
be a more secure option? (e.g. checking an explicit checksum) Or does it not matter because its https and I trust *
In any case, thanks for such a quick answer on a Saturday night. It's always appreciated
h applies that sort of checksum verification to the binaries it downloads.
If you want to apply checksum verification to it then where would that checksum come from?
There is an infinite recursion problem here...
In the end there has to be some moment of trust. Checking into your repo lets you at least concentrate that moment of trust to just a one-time download and visual inspection of the script.