The Audacity of Piping Curl to Bash

It seems more and more common, at least in the self-hosted community, to provide two methods of installations: Docker or a shell script installer. It seems that many new projects don’t even bother with a native package manager, such as dpkg or rpm, which makes me reluctant to use them.

Many talk about the security implications of piping curl into bash but it has been talked about enough and the solution is usually splitting the process into two steps, fetching the file and then running it. But what really makes me avoid running those scripts is how complicated they are and their audacity of how they treat my system.

How complicated you might ask? The Oh My Zsh installer is 420 lines of POSIX shell, granted, with many useful comments that helped me understand what they are doing. What the installer does you might ask? Well not much. It basically boils down to cloning their git repository to ~/.oh-my-zsh1, replacing your ~/.zshrc file with their own, and changing your shell to Zsh. The rest of the code mostly handles edge cases of existing files, missing commands, etc.

Oh My Zsh installer also shows (albeit not much compared to more complicated installers) the audacity of how they treat my system and doing too much with it. If my package manager had an Oh My Zsh package, I would have just expected it to install it in the proper location (hopefully not in my home directory) and leave the rest of the configuration to me. I don’t need them to override my ~/.zshrc file and I definitely don’t need them to change my shell on behalf of myself.

I don’t mean to pick on Oh My Zsh, I chose them because their script is relatively simple and I had read it before when I used Zsh because I wanted to use them without the installer. It turned out I could replace their script with a git clone command because I already had a ~/.zshrc that sourced Oh My Zsh and changed my shell in my dotfiles installer. There’s also nothing wrong with a script that configures everything but please don’t make it your main way of installing it.

  1. For the love of god, why do I still have programs on Linux that don’t use xdg directories? ↩︎