Many official Rust-related resources (like rustup.rs) contains curl | sh as the preferred installation method. It's unsafe even if we trust the script: connection error can make sh to execute half of script, messing up computer's state.
Why documentation recommends to do it instead of, for example,
curl ... > /tmp/install.sh && sh /tmp/install.sh
?
This is the source code of the rustup install script: rustup.sh · GitHub. Could you describe how a truncated version of that script could cause trouble?
Ok, this particular version of this particular script can't cause trouble when truncated. Forming habit of doing curl | sh is bad anyway: there are scripts that are harmful when truncated.
What I want to say is Rust resources shouldn't teach to do theoretically unsafe things without marking them as "theoretically unsafe", even if these things is safe in each specific case.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.