28 Feb
2023
28 Feb
'23
4:07 a.m.
On Mon, Feb 27, 2023 at 4:52 PM Michael Stiller <mstiller(a)me.com> wrote:
What? You've already downloaded the script. Once it's on your local
machine, why would you download it again?
If I really wanted to see whether it had been tampered with, perhaps
spin up a sacrificial machine and run,
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | tee the.script | sh
and compare to the output of,
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs >
the.script.nopipeshell
- Dan C.
I find this a
little odd. If I go back to O'Reilly books from the
early 90s, there was advice to do all sorts of suspect things in them,
such as fetching random bits of pieces from random FTP servers (or
even using email fetch tarballs [!!]). Or downloading shell archives
from USENET.
And of course you _can_ download the script and read through it if you want.
This does not help, you can detect that on the server and send something else.