What's new

Is it safe/secure to install a executable from a source that may not be adequately vetted?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Wallace_n_Gromit

Senior Member
Is it safe/secure to install a executable from a source that may not be "thoroughly" vetted?

I have heard from a reputable security source in the past, that using "curl" to install software is a iffy security issue. Have to implicitly trust the source.

I have little concern to "curl" from repos from developers here because of the community-based trust.

ADD: ...and whoever started strobing my smart lights. stop it! ;)

ADDITION: This tread was moved from another thread. I did not realize that I would be stepping on a few toes here, especially from some of the top developers/sysops. This was mainly posed as a question about using and installing new programs to run on your systems from NEW sources (and come to find out from old sources--i.e. supply chain attack, and very old linux component vulnerabilities like the sudo hack ).

It was an idea expressed in the light of much recent news over the last year of the "weaponization" of many methods we take for granted to install, use, update, etc. the software we all are dependant upon.

The greatest thing about this specific grouping of threads, Merlin-AsusWRT, is the very proactive nature of the development and updating of features and mitigation of vulnerabilities as they arise. There is an strong, implicit trust that the developers know what they are doing and are doing it in the right way (i.e. the routers to function correctly with their networking and sound/timely/updated security features.)

I do understand that my question posed was not from an informed personal experience but the repeated (and I think badly at that) from a outside source I personally trusted. Once some disagreement about this subject arose, I wasn't even well-informed enough about "curl/bash" to offer some counterpoint.

Since there are so many who read these threads and are at various levels of computer subject matter experience, any claim that is potentially "outlandish" or "sensational" needs to be met head-on and challenged. So I definately don't take any of this personally.

Lesson: If you bring something up, be clear what the issue is and be able to back it up. That way it will inform and not needlessly alarm.
 
Last edited:
I have heard from a reputable security source in the past, that using "curl" to install software is a iffy security issue.
Why would that be? It's just a way of downloading a file through a shell instead of through a GUI.

It's how I always install the very well known acme.sh Let's Encrypt client on all the servers that I manage.
 
Why would that be? It's just a way of downloading a file through a shell instead of through a GUI.

It's how I always install the very well known acme.sh Let's Encrypt client on all the servers that I manage.
Piping the curl output to bash is probably where the concern is founded. Especially if you haven’t built up trust in the source provider.
 
Piping the curl output to bash is probably where the concern is founded. Especially if you haven’t built up trust in the source provider.
Yes, @RMerlin when I was talking about "curl" I was thinking about that PIVPN site.


I seem to recall that Steve Gibson, That security guy I was referring to, seemed to think it was a bad/inconsistent idea to use this method to install a VPN for privacy/security. Better to D.I.Y

And when I typed "...Is it safe/secure to install a executable..." . I had a bit of a brain infarction, I was thinking of the web URL "raspap.com" as an executable. :oops:
 
Last edited:
I don't pay much (well any) attention to what Steve Gibson has to say. Not that he's wrong particularly, but from the stuff of his I have seen it's just an old man repeating other people's work without adding anything of value. I don't regard him as a "security guy".
 
What`s the difference from downloading a .exe and double clicking on it afterward?

This is just bordering paranoia. Same security rules apply here as with anything else: make sure you run stuff downloaded from a trusted source, be it a shell script or an executable.
 
That wasn’t really possible if I’m remembering reading it but may have it mixed up with the php comprise - curl is usually used when it’s called by something like an update or install than by a person using the command. The user in the case where they run an update aren’t aware it’s being harmful by something being done to retrieve it.

Both points are right - if the process was downloading source from somewhere trusted by the people and the security to reflect it things like curl and dependency tactics wouldn’t allow these supply chain attacks so easy.

The issue is somehow being comfortable using code we find to use we have no idea who wrote or what the second and third order of effects are.
We have to assume php compromised and really who’s going to stop all php from touching their networks or systems.

the curl and php findings are both big deals but it’s definitely not even close to what’s been done and has for so long there’s no way they’re going to be discovered and removed - the discovery is a risk planed for and contingencies ready.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top