Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

why don’t those risky “curl | sh” commands at least do some checksum or sig verification?


I love how it's a self-proclaimed "secure web-based, collaborative terminal" but the installation instructions are the exact opposite.

Never blindly execute files without looking at them first!


I'm not sure about this criticism — the script is written to be as simple as possible and also has a comment about this if you do inspect it as you suggest.

    # This is a short script to install the latest version of the sshx binary.
    #
    # It's meant to be as simple as possible, so if you're not happy hardcoding a
    # `curl | sh` pipe in your application, you can just download the binary
    # directly with the appropriate URL for your architecture.
You're also welcome to install it any way you choose! The code is fully open-source, and it has straightforward instructions to build from source.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: