On 2024-12-16 at 03:12:07 AM, Akihiro Suda wrote: >> BTW I don't fully understand the use case. I presume it's not for security >> as if one could compromise the install.sh, presumably one could >> compromise the checksum in the instructions. So I'm presuming it's >> for extra resiliency or something? > > The instructions are often duplicated to third-party documents, blogs, > books, etc., and also archived in web.archive.org. > So there is a huge chance that the compromise of the checksum can be detected.
It's worth adding, for clarity/posterity: checking a checksum first ensures you don't run partial scripts. The shell is line-oriented, so an incomplete download piped to `sh` will run... something. It can be hard to know exactly which effects to undo in such a case! The `sponge` utility (e.g., in Debian's moreutils package) is another way to avoid the problem of partial scripts. Cheers, Michael
