Is this installation script safe to pipe into my shell?
Piping an installation script into your shell is a common, easy, yet risky way for developers to install command-line applications.
This is a simple attempt to solve the latter problem.
-
Add a link to Should I pipe it? next to the installation instructions for your app. E.g., for the Site.js install script:
https://should-i-pipe.it/https://sitejs.org/install
-
Follow the link and copy your script’s BLAKE2b-512 hash. e.g., for the above script:
ce5c4c8c5118ba01a1b88e9ca23ff81a09d3cf12e66983947cbd59f1ca4f5a906f59d02142d05aac9d304874123b42f2639436151d4e675b8d0549a6c9f4de6c
-
Fork this repository and clone your fork.
-
Create a branch with the URL to your install script (omit the https:// prefix in the branch name). e.g.,
git checkout -b sitejs.org/install
-
Create a verification object for your script in the verified-hashes.json file and add yourself as the first verifier in its
verifiers
array. Make sure you setisAuthorOfScript
totrue
if you wrote the script and set it tofalse
if you’re verifying someone else’s script. Leave your verifierurl
empty for now.Make sure you sign your commits and that your commits show as verified on GitHub. Pull requests with unsigned/unverified commits will not be accepted.
e.g.,
{ "ce5c4c8c5118ba01a1b88e9ca23ff81a09d3cf12e66983947cbd59f1ca4f5a906f59d02142d05aac9d304874123b42f2639436151d4e675b8d0549a6c9f4de6c": { "url": "https://sitejs.org/install", "verifiers": [ { "name": "Aral Balkan", "isAuthorOfScript": true, "url": "" } ] } }
-
Push your changes to your fork and create a pull request here. Format the title of the pull request as
Verifying <domain>/<path>
. Leave the description empty unless you have any special notes that are not covered by the data in your entry. e.g.,Verifying sitejs.org/install
-
Once you’ve opened your pull request, copy the URL of your pull request and update your verification entry with the url under the
verifiers[your-index].url
key. Your name will be linked to this pull request on the site so that people can verify the verifiers and can do so without needing any extra data from you.So the entry in the preceding example would become:
{ "ce5c4c8c5118ba01a1b88e9ca23ff81a09d3cf12e66983947cbd59f1ca4f5a906f59d02142d05aac9d304874123b42f2639436151d4e675b8d0549a6c9f4de6c": { "url": "https://sitejs.org/install", "verifiers": [ { "name": "Aral Balkan", "isAuthorOfScript": true, "url": "https://github.com/small-tech/should-i-pipe-it/pull/1" } ] } }
-
Push your changes to the branch so that they show up in the pull request.
-
Ideally ask some other friends to verify your script also. Three verifiers per script would be ideal. I don’t think we need more than five.
Verified installation scripts:
- Must not be malicious.
- Must not violate a person’s privacy.
- Must not have apparent security issues.
- Must be served over TLS (https).
- Must be served using a content type of
text/plain
,text/x-shellscript
,application/x-sh
, orapplication/x-csh
.
Note that my own Site.js’s install script is being erroneously served as content type application/x-install-instructions
by Site.js’s Express static server. I have an issue open to fix this after the next release. Until then, temporarily, Should I pipe it? also accepts this content type.
This is a Site.js app. The source code you see here is the whole app.
To run it, clone this repository, install Site.js (make sure you check the install script with Should I pipe it 😜), switch to your working directory, and type:
site
Then, visit https://localhost to see your local version.
Please let me know what you think about this approach (and if you have any comments and suggestions) by opening an issue.
My goal in the longer term is to evolve this so that scripts with three verifications are marked as verified instead of just one.
Small Technology Foundation is a tiny, independent not-for-profit.
We exist in part thanks to patronage by people like you. If you share our vision and want to support our work, please become a patron or donate to us today and help us continue to exist.
Site.js is a complete small technology tool for developing, testing, and deploying a secure static or dynamic personal web site or app with zero configuration. With Node.js, (soon) Hugo, and more bundled into a single binary.
© 2020 Aral Balkan, Small Technology Foundation.