Show HN: Vet – A tool for safely running remote shell scripts

(getvet.sh)

89 points a10r | 3 comments | 28 Jun 25 19:56 UTC | HN request time: 0s | source

Show context

calrain ◴[29 Jun 25 06:31 UTC] No.44410767[source]▶

Oh the irony:

    # You're blindly trusting the remote script.
    curl -sSL https://example.com/install.sh | bash

then

    curl -sL https://getvet.sh | sh

replies(1): >>44410783 #

yayoohooyahoo ◴[29 Jun 25 06:36 UTC] No.44410783[source]▶

>>44410767 #

I guess you stopped reading there and missed that part:

> Yes, we see the irony! We encourage you to inspect our installer first. That's the whole point of vet. You can read the installer's source code install.sh

replies(1): >>44410931 #

1. stedaniels ◴[29 Jun 25 07:15 UTC] No.44410931[source]▶

>>44410783 #

It is very trivial to serve different code to someone inspecting the code than when they pipe it to bash. In the very rare case someone inspected it they’d likely do so in a way that was vulnerable to this.

replies(1): >>44412610 #

2. a10r ◴[29 Jun 25 12:36 UTC] No.44412610[source]▶

>>44410931 (TP) #

That’s an excellent point, and thank you for raising it. You are 100% correct—relying on users to inspect a URL that could be spoofed with User-Agent trickery is a flaw in the original recommendation. It's a classic threat model that I should have addressed from the start.

Thanks to your feedback, I've just merged a PR to change the recommended installation method in the documentation to the only truly safe one: a two-step "download, then execute the local file" process. This ensures the code a user inspects is the exact same code they run.

I sincerely appreciate you taking the time to share your expertise and hold the project to a higher standard. This is what makes a community great.