Is `curl {something} | sudo bash -` a reasonably safe installation method?
The most straightforward way to install NodeJS on Ubuntu or Debian seems to be Nodesource, whose installation instructions say to run:
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
This clashes with some basic security rules I learned long ago, such as "be suspicious of downloads" and "be cautious with sudo". However, I learned those rules long ago, and nowadays it seems like everyone is doing this...well, at least it has 350 upvotes on askubuntu.com.
As I read various opinions on other sites, I'm finding that some people also think curl-pipe-sudo-bash is unsafe:
- Phil. (idontplaydarts.com, 2016-04-19) Detecting the use of "curl | bash" server side
- Stemm, Mark. (Sysdig.com, 2016-06-13) Friends don't let friends Curl | Bash.
- Stackoverflow.com. (2015-04-01 and onward) Why using curl | sudo sh is not advised? (also linked from askubuntu)
while some people think it's just as safe as any other practical installation method:
- McLellan, Bryan. (Github.com/btm, 2013-09-25) Why curl | sudo bash is good.
- YCombinator.com. (2016-10-22 and onward) "Curl Bash piping" wall of shame.
- Varda, Kenton. (Sandstorm.io, 2015-09-24) Is curl|bash insecure?.
There are also some that explore the problem without giving a decisive opinion:
Since there's no clear consensus from other sites, I'm asking here: Is curl-pipe-sudo-bash a reasonably safe installation method, or does it carry unnecessary risks that can be avoided by some other method?
