this post was submitted on 23 Feb 2026
177 points (97.8% liked)

Selfhosted

60093 readers
815 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 30 days old, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
177
A sneaky demonstration of the dangers of curl bash (blog.k3can.us)
submitted 4 months ago* (last edited 4 months ago) by K3can@lemmy.radio to c/selfhosted@lemmy.world
80 comments fedilink hide all child comments
 

I set up a quick demonstration to show risks of curl|bash and how a bad-actor could potentially hide a malicious script that appears safe.

It's nothing new or groundbreaking, but I figure it never hurts to have another reminder.

you are viewing a single comment's thread
view the rest of the comments
[–] Nibodhika@lemmy.world 1 points 4 months ago

But what is a trusted provider? How can you trust it? How sure are you that you're not being MitM? Have you fully manually verified that there's no funky flags in curl like -k, that the url is using SSL, that it's a correct url and not pointing at something malicious, etc, etc, etc. There are a lot of manual steps you must verify using this approach, whereas using a package manager all of them get checked automatically, plus some extra checks like hundreds of people validating the content is secure.

To do apt get from an unknown repo, you first need to convince the person to execute root commands they don't understand on their machine to add that unknown repo, if you can convice someone to run an unsafe command with root credentials then the machine is already compromised.

I get your point, random internet scripts are dangerous but random internet packages can also dangerous. But that's a false equivalence because there are lots of safeguards to the packages in the usual way people install them, but less than 0 safeguards to the curl|bash. In a similar manner, if this was a post talking about the dangers of fireworks and how you can blow yourself up using them your answer is "but someone can plant a bomb in the mall I go to, or steal the codes for a nuclear missile and blow me up anyways".