Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

curl | bash is easy to run locally too, and very few people actually read the code that runs to check for “rm -rf /“-type things. When executing untrusted code from the internet, either you read it or your fate is in the author’s hands. No exceptions, not even for beginners getting started in programming via jupyter notebooks.


Well, then let's go with the fact that a function called "never_called" is trying to delete all the files on the computer. At best it's a misnomer.

And it is right that the fate is in the author's hands. It's those hands that we are trying to tame.


People also run compiled code all day long. Curl | bash gets a lot of derision for being a bad practice. Unlike other applications that install themselves the one advantage of curling to bash is that its trivial to read the code.


I agree with all the above, but I am more concerned with what's given out. Not a great idea for a tutorial IMO. You can make the point without having to actually using that command - just make it clear as a comment. If this were some other doomsday commands, you are screwed too. Just be nice to your readers.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: