Have you ever found a GitHub project or anything that seemed nice and tempting to install until you dug a bit deeper?
What are some red flags that should detur anyone from installing and running something?
Have you ever found a GitHub project or anything that seemed nice and tempting to install until you dug a bit deeper?
What are some red flags that should detur anyone from installing and running something?
The real answer is that user-agents can be used to show you one version in your browser and then serve you another one with curl.
I say “real” because all the idiots talking about “don’t run scripts from the internet!!!” probably forget they don’t decompile every binary they run. E.g. the rustup installer (the tool for managing Rust toolchains) is by default a curl+bash one liner. Why would I worry about them serving me a wrong script when I’m any way about to run their binary blob?
If you have any doubt about the hosting service (which might or not be the same as the software author!) then avoid piping into bash, but then why would you run their code at all if you distrust them so much? Do you expect github to install a keylogger? Probably not. Some telemetry hook to know whose running the requested script? Possibly someday