I can't be the only person who hates install instructions like 'curl -L some.host|bash'. Not to mention that the yeoman install script happily installs homebrew using 'curl -k ... |ruby'. No thanks.
If you don't trust such methods of installation, you don't have to use them. Also, you can always look at the source of the script if you don't trust said method and choose for if you want to install by hand, use the script, or just don't use the tool at all. You really can't fault Yeoman because they want to make it easy and painless to install their tool.
Why? I completely understand the intent of "curl -L some.host|bash". Even if I don't have curl or bash, I immediately know what is happening.
It's obviously a concern that you are downloading unchecked code from the internet and running it on your computer, but if you are talented enough to be able to inspect the code and certify it is not malicious, you are also talented enough how to get the code without executing it.
I've been on the private beta and working on that article for over a month in conjunction with Addy and Paul from the Yeoman team. I contributed numerous tickets and issues to the repository and assisted in testing countless times. Just so you don't think I whipped it out really quickly.
Did you actually read the article? It is more in depth then the QS on the yeoman.io site. At the end of the day, introductions are going to cover similar material, but I think this version is a bit friendlier than what is up on the main site now.
I actually thought it to be a good write up. When yeoman was first announced, I was "meh" about it. Now that I've read the article, I actually want to kick the tires on yeoman.
10 comments
[ 4.1 ms ] story [ 38.1 ms ] threadFor the people that want to check out the script:
https://raw.github.com/yeoman/yeoman/master/setup/install.sh
Do you think piping a shell script is less secure?
You're running code you haven't read. It all reduces to exactly the same vulnerability.
It's obviously a concern that you are downloading unchecked code from the internet and running it on your computer, but if you are talented enough to be able to inspect the code and certify it is not malicious, you are also talented enough how to get the code without executing it.
I've been on the private beta and working on that article for over a month in conjunction with Addy and Paul from the Yeoman team. I contributed numerous tickets and issues to the repository and assisted in testing countless times. Just so you don't think I whipped it out really quickly.