When software devs expect you to pipe a script straight from the internet into Bash...
When software devs expect you to pipe a script straight from the internet into Bash...
Developers: I will never ever do that, no one should ever do that, and you should be ashamed for guiding people to. I get that you want to make things easy for end users, but at least exercise some bare minimum common sense.
The worst part is that bun is just a single binary, so the install script is bloody pointless.
Bonus mildly infuriating is the mere existence of the .sh TLD.
Edit b/c I'm not going to answer the same goddamned questions 100 times from people who blindly copy/paste the question from StackOverflow into their code/terminal:
WhY iS ThaT woRSe thAn jUst DoWnlOADing a BinAary???
- Downloading the compiled binary from the release page (if you don't want to build yourself) has been a way to acquire software since shortly after the dawn of time. You already know what you're getting yourself into
- There are SHA256 checksums of each binary file available in each release on Github. You can confirm the binary was not tampered with by comparing a locally computed checksum to the value in the release's checksums file.
- Binaries can also be signed (not that signing keys have never leaked, but it's still one step in the chain of trust)
- The install script they're telling you to pipe is not hosted on Github. A misconfigured / compromised server can allow a bad actor to tamper with the install script that gets piped directly into your shell. The domain could also lapse and be re-registered by a bad actor to point to a malicious script. Really, there's lots of things that can go wrong with that.
The point is that it is bad practice to just pipe a script to be directly executed in your shell. Developers should not normalize that bad practice.
You're viewing a single thread.
What's a good package manager right now for stuff like this if i don't want to use the distro package manager though? I want up to date versions of these tools, ideally shipped by the devs themselves, with easy removal and updates. Is there any right now? I think Homebrew is like that? But I wish it didn't need creating an entire new user and worked on a user account basis.
In an ideal world, i would want to use these tools in such a way that I can uninstall them, including any tool data (cache, config, etc), and update them in a reliable manner. Most of these tools are also hellbent on creating a new ".<tool-name>" folder or file in the home folder ignoring the XDG spec.
It says in the comment of the script:
npm install
npm is JS-specific
Nix. I use it for everything, including all of my tools I use on my work MacBook.
There are many ways to use nix for this stuff, but personally I use home-manager in a flake-based setup. Versions of tools are all pinned in a lockfile which is committed to source control, so it's easy to get my config and all my tools on a new machine without any breakage (it does require installing first, though).
It's a great tool and has largely solved the pain of dealing with having to work on MacOS, for me.
Do you know of any Nix projects which are basically nix-but-as-if-was-brew?
I get that this violates the Nix philosophy, but it’s hard convincing collabs to install a root package manager, which has install commands like:
nix profile install nixpkgs/nixos-24.11#hello
I get that it’s flexible, but I would like something more like:
nix install hello
I want three things:
- rootless
- can manage “casks”
- global cli with support for per-project flakes
Do you know if this exists / is being developed?
- Supposedly there's a way to install nix without root access, but I can't speak to it as I've never tried. Ofc it doesn't require sudo to install packages or anything, though.
- I don't think it does this right now, largely because it's super fucking complicated (as is basically everything Apple) and homebrew casks themselves have had a ton of headaches around it. But nevertheless, I think
home-managerhas some workarounds it uses itself to enable many common GUI apps on MacOS. - Not sure exactly what you mean, but I think it does that?
If you want to install packages purely by name, you can use
nix-env -i helloor whatever. But it's pretty janky and not really a recommended way of doing things.
Nix is a great suggestion and I think i will be using it moving forward as well. Thanks. Ideally I want to use NixOS, do you know if secure boot is still a pain point with NixOS?