Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You mean a package manager like this?

  /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"


That's actually very different, as first downloading the code and then executing it all at once removes the ability to differentiate--and then serve different files to--people who are separating the two steps for audit from people who are streaming the one to the other via pipe.

This paradigm is still reckless, though, even if you refused to believe in the security arguments: if you "merely" have a transient error during the script response--which might actually cut off only part of the last line you received!!--you shouldn't execute the fragment :/.

If you insist on doing this and you don't want it to feel like amateur hour to people like me--people who have a strong innate sense of exception safety--you (at least) need to use the bash -c with substitution and add a variable (so you can catch the error with set -e or &&).

    (c=$(curl) && bash -c "$c")


Well… Homebrew solves a lot of problems, and is extremely convenient, but the project was never accused of being a reference for good practices.

In that space, I tend to prefer MacPorts.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: