Why official Rust sites asks to pipe curl to bash?

Many official Rust-related resources (like rustup.rs) contains curl | sh as the preferred installation method. It's unsafe even if we trust the script: connection error can make sh to execute half of script, messing up computer's state.
Why documentation recommends to do it instead of, for example,

curl ... > /tmp/install.sh && sh /tmp/install.sh


1 Like

This is the source code of the rustup install script: https://gist.github.com/sfackler/59abcfaa22e3fd0c2a67dcd38841c2ef. Could you describe how a truncated version of that script could cause trouble?

Ok, this particular version of this particular script can't cause trouble when truncated. Forming habit of doing curl | sh is bad anyway: there are scripts that are harmful when truncated.

1 Like

What I want to say is Rust resources shouldn't teach to do theoretically unsafe things without marking them as "theoretically unsafe", even if these things is safe in each specific case.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.