I hate this practice, no idea how it became commonplace. Of course lots of times, installation procedures can be long and tedious, but it takes one popular project's script server to be compromised, and tons of people are suddenly running malicious commands.<p>I would go through manually installing dependencies and setting up my system, adding repos, etc. over running some script any day. But then again some projects wouldn't be that popular if they were hard to install.<p>Some of npm's installation instructions ask you to pipe curl into bash, to run a lovely script [0] which makes things easier for you, but not by much. Is it really necessary? Would developers give up trying to get npm and node just because installing not as easy as "curl <a href="https://some.script.com/that-script.sh" rel="nofollow">https://some.script.com/that-script.sh</a> | sudo -E bash -; sudo apt-get install npm"?<p>Other than building/installing programs, adding GPG/SSH keys like in the blog post can be as dangerous, and while not simple, there could be some method built to make things easier without having to run commands you don't even check.<p>Anyways, hope projects grow out of this habit.<p>[0] <a href="https://deb.nodesource.com/setup_6.x" rel="nofollow">https://deb.nodesource.com/setup_6.x</a>
Isn't the solution to publish the key on a keyserver and fetch it with apt-key? Something like<p><pre><code> apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys <fingerprint></code></pre>
> Consider the case where download.docker.com starts serving an evil key file<p>At that point I can't trust the key ID in the docker documentation either. Since Docker doesn't use web of trust (who does honestly?) there is no way that I can verify the key ID in any way in the provided key file. So I don't know how it does any good inspecting the key file before adding it to the apt keyring.
On a related note, don't copy commands from web and paste it to your shell (or any terminal program):<p><a href="http://thejh.net/misc/website-terminal-copy-paste" rel="nofollow">http://thejh.net/misc/website-terminal-copy-paste</a>
On piping anything from the Internet directly to your system for execution: Don't be lazy. Don't be an ass.<p>When I am working in a persona that responsible for managing a server or a service, I insist on knowing everything I need to know about how to keep that service and the environment in which it operates safe, alive, and providing usable performance.<p>I require good, clean and coherent instructions for deploying something at production level, where all required components and their preferred method of interaction are clearly explained and documented by the developer, and can be repeated in a predictable manner by me.<p>If all I have to work with is "pipe this to the shell, alternatively read the code" I'm going to go with "nah, I'll find something professional".<p>Time spent installing a system should be only a minuscule fraction of time spent actually operating the system. Spending a few extra hours doing it right shouldn't make a difference.<p><i>[edit: added "...and another thing" argument]</i>
Apt-key should just have a built-in way of importing keys from HTTP(s) URLs, preferably in interactive mode so you can confirm the keys are legitimate before adding them.
Would it be possible to write a "confirm" tool that writes stdin to stderr then waits for the user to press enter before writing to stdout?<p><pre><code> curl ... | confirm | apt-key ...
</code></pre>
Of course there's no such thing as a stderr input stream, so I'm not sure this would even be possible.
Of my first steps into the world of Linux this year, this sort of procedure has been one of the most glaringly disturbing. Another similar was packages being downloaded over HTTP.