←back to thread

Show HN: Vet – A tool for safely running remote shell scripts

(getvet.sh)
89 points a10r | 9 comments | 28 Jun 25 19:56 UTC | HN request time: 1.133s | source | bottom
1. kevincox ◴[28 Jun 25 20:43 UTC] No.44408014[source]
My main question is in 90% of cases these are installers. How are you actually verifying the software that you install? In some cases it is signed and verified but in many cases it is just coming down from the same HTTPS server with no additional verification. So are you then diffing the code (which may be compiled) as well?

I'm not saying that random running random installers from the internet is a great pattern. Something like installing from your distribution can have better verification mechanisms. But this seems to add very little confidence.

replies(3): >>44408170 #>>44409862 #>>44410375 #
2. a10r ◴[28 Jun 25 21:00 UTC] No.44408170[source]
You're absolutely right—vet's scope is focused on securing the installer script itself, not the binary it downloads.

The goal is to prevent the installer from being maliciously modified to, for example, skip its own checksum verification or download a binary from a different, malicious URL.

It's one strong link in the chain, but you're right that it's not the whole chain.

replies(1): >>44408205 #
3. ◴[28 Jun 25 21:05 UTC] No.44408205[source]
4. shivawu ◴[29 Jun 25 02:22 UTC] No.44409862[source]
The other thing is.. installer generally only runs once on a single machine, not sure how useful it is to “show the changes since last run”
replies(1): >>44415345 #
5. ajross ◴[29 Jun 25 04:33 UTC] No.44410375[source]
> How are you actually verifying the software that you install?

By installing it through a well-audited, cryptocraphically-signed and community-maintained package list with a solid security history. What?

The bug here isn't that "it's hard to make downloading scripts secure!", it's that people on macs (and a few other communities, but really it's just OS X culture at fault here) insist on developing software with outrageous hackery like this and refuse to demand better from their platform.

Fix that. Don't pretend that linting (!!) shell scripts pulled off the open internet is going to do anything.

replies(1): >>44412328 #
6. subjectsigma ◴[29 Jun 25 11:47 UTC] No.44412328[source]
Why do you think it’s OS X culture and not Rust culture? Popular rust tools like starship, atuin, and cargo itself ask you to curl an installer. They certainly didn’t invent this but they did re popularize it
replies(1): >>44413269 #
7. ajross ◴[29 Jun 25 14:04 UTC] No.44413269{3}[source]
Most non-Apple rust users get it via a Linux distro's package manager, or by building from source. And after installation cargo is, if not Debian-quality, reasonably secure vs. attack (sub-linux but better than npm, basically).

While there are surely exceptions, that nonsense about "just run this unauthenticated script URL" is something unique the the Mac experience. And it's horrifying.

replies(1): >>44419564 #
8. sgarland ◴[29 Jun 25 18:46 UTC] No.44415345[source]
This. OP, tools often install their own update mechanisms (e.g. `uv self update`), so this may not be as useful as you think. As an alternative (albeit one that adds potential hosting costs), consider running a small DB - can be as simple as SQLite - with hashes of scripts. You also need to handle legitimate updates from the script's author[s], though. If you can extract versioning from the URL, e.g. GitHub releases, you could include that in the schema.

I made a gist demonstrating a SQLite schema and using it via direct user input: https://gist.github.com/stephanGarland/5ee5281dedc3abcbc57fa...

9. subjectsigma ◴[30 Jun 25 04:58 UTC] No.44419564{4}[source]
> While there are surely exceptions, that nonsense ... is something unique the the Mac experience

Wait, so is it unique, or are there exceptions?... You can't really have it both ways, right? The more I think about this, it's a silly argument with no real evidence supporting it and I'm curious as to how you even thought of it.

> Most non-Apple rust users get it via a Linux distro's package manager, or by building from source.

Really? That's not what the official Rust documentation says to do. It says to curl-bash-pipe: https://doc.rust-lang.org/cargo/getting-started/installation... So how do you know Linux users are not doing this?

This guy made a list (which is now four years old) of projects that do this: https://kubikpixel.github.io/pipeinstall/ Not a single one is Mac only, all Linux or cross-platform. I'm sure it is woefully incomplete.

Here's another list: https://github.com/nightwatchcybersecurity/dont_curl_and_bas... I believe Homebrew is the only Mac-specific software on the list, otherwise it's all Linux or cross-platform.

Yet another list posted to HN in 2016, nearly all Linux software, including some GNU projects: https://gnu.moe/wallofshame.md (Though there are some entries here that were already in the other two)

The more I think about it, it's bizarre and kind of funny. There's so many real things you can hate on Apple (fans) for, why choose to make up stuff about their nefarious curl-bash practices?