Developers: I will never ever do that, no one should ever do that, and you should be ashamed for guiding people to. I get that you want to make things easy for end users, but at least exercise some bare minimum common sense.
The worst part is that bun is just a single binary, so the install script is bloody pointless.
Bonus mildly infuriating is the mere existence of the .sh TLD.
Edit b/c I’m not going to answer the same goddamned questions 100 times from people who blindly copy/paste the question from StackOverflow into their code/terminal:
WhY iS ThaT woRSe thAn jUst DoWnlOADing a BinAary???
- Downloading the compiled binary from the release page (if you don’t want to build yourself) has been a way to acquire software since shortly after the dawn of time. You already know what you’re getting yourself into
- There are SHA256 checksums of each binary file available in each release on Github. You can confirm the binary was not tampered with by comparing a locally computed checksum to the value in the release’s checksums file.
- Binaries can also be signed (not that signing keys have never leaked, but it’s still one step in the chain of trust)
- The install script they’re telling you to pipe is not hosted on Github. A misconfigured / compromised server can allow a bad actor to tamper with the install script that gets piped directly into your shell. The domain could also lapse and be re-registered by a bad actor to point to a malicious script. Really, there’s lots of things that can go wrong with that.
The point is that it is bad practice to just pipe a script to be directly executed in your shell. Developers should not normalize that bad practice.


With the caveat that I’m currently blanking on the semantics of sub-shells yes I think you’re right,
-fis about not executing<hmtl><h1>404 Not Found</h1></html>. Does curl output half-transferred documents to stdout in the first place, though, and alsobash -cis going to hit the command line length limit at some point.And no I haven’t tried anything of this. I use a distribution, I have a package installer.
See the proof of concept for the pipe detection mentioned elsewhere in the thread https://github.com/Stijn-K/curlbash_detect . For that to work, curl has to send to stdout without having all data yet. Most reasonable scripts won’t be large enough, and will probably be buffered in full, though, I guess.
Thanks for the laugh on the package installer, haha.
Just skimmed through
rustup-init.shand executing half-downloaded things is not an issue, it’s all function declarations, oneset -uand one variable declaration (without side effects) before the last line of the script kicks off everything withmain "$@" || exit 1. It’s also a dash/bash/ksh/zsh/whatever-polyglot, someone put a lot of thought in this. Also it’s actually just figuring out the architecture and OS to know what binary installer to download. So don’t worry, it won’t accidentallyrm -rf /usr.