Should I pipe it?

Is this installation script safe to pipe into my shell?

Piping an installation script into your shell is a common, easy, yet risky way for developers to install command-line applications.

This is a simple attempt to solve the latter problem.

How it works

Add a link to Should I pipe it? next to the installation instructions for your app. E.g., for the Site.js install script:
```
https://should-i-pipe.it/https://sitejs.org/install
```

Follow the link and copy your script’s BLAKE2b-512 hash. e.g., for the above script:

ce5c4c8c5118ba01a1b88e9ca23ff81a09d3cf12e66983947cbd59f1ca4f5a906f59d02142d05aac9d304874123b42f2639436151d4e675b8d0549a6c9f4de6c

Fork this repository and clone your fork.
Create a branch with the URL to your install script (omit the https:// prefix in the branch name). e.g.,
```
git checkout -b sitejs.org/install
```
Create a verification object for your script in the verified-hashes.json file and add yourself as the first verifier in its verifiers array. Make sure you set isAuthorOfScript to true if you wrote the script and set it to false if you’re verifying someone else’s script. Leave your verifier url empty for now.

Make sure you sign your commits and that your commits show as verified on GitHub. Pull requests with unsigned/unverified commits will not be accepted.

e.g.,
```
{
  "ce5c4c8c5118ba01a1b88e9ca23ff81a09d3cf12e66983947cbd59f1ca4f5a906f59d02142d05aac9d304874123b42f2639436151d4e675b8d0549a6c9f4de6c": {
    "url": "https://sitejs.org/install",
    "verifiers": [
      {
        "name": "Aral Balkan",
        "isAuthorOfScript": true,
        "url": ""
      }
    ]
  }
}
```
Push your changes to your fork and create a pull request here. Format the title of the pull request as Verifying <domain>/<path>. Leave the description empty unless you have any special notes that are not covered by the data in your entry. e.g.,
```
Verifying sitejs.org/install
```

Once you’ve opened your pull request, copy the URL of your pull request and update your verification entry with the url under the verifiers[your-index].url key. Your name will be linked to this pull request on the site so that people can verify the verifiers and can do so without needing any extra data from you.

So the entry in the preceding example would become:

{
  "ce5c4c8c5118ba01a1b88e9ca23ff81a09d3cf12e66983947cbd59f1ca4f5a906f59d02142d05aac9d304874123b42f2639436151d4e675b8d0549a6c9f4de6c": {
    "url": "https://sitejs.org/install",
    "verifiers": [
      {
        "name": "Aral Balkan",
        "isAuthorOfScript": true,
        "url": "https://github.com/small-tech/should-i-pipe-it/pull/1"
      }
    ]
  }
}

Push your changes to the branch so that they show up in the pull request.
Ideally ask some other friends to verify your script also. Three verifiers per script would be ideal. I don’t think we need more than five.

Verification requirements

Verified installation scripts:

Must not be malicious.
Must not violate a person’s privacy.
Must not have apparent security issues.
Must be served over TLS (https).
Must be served using a content type of text/plain, text/x-shellscript, application/x-sh, or application/x-csh.

Note that my own Site.js’s install script is being erroneously served as content type application/x-install-instructions by Site.js’s Express static server. I have an issue open to fix this after the next release. Until then, temporarily, Should I pipe it? also accepts this content type.

Developer documentation

This is a Site.js app. The source code you see here is the whole app.

To run it, clone this repository, install Site.js (make sure you check the install script with Should I pipe it 😜), switch to your working directory, and type:

site

Then, visit https://localhost to see your local version.

Thoughts? Comments?

Please let me know what you think about this approach (and if you have any comments and suggestions) by opening an issue.

My goal in the longer term is to evolve this so that scripts with three verifications are marked as verified instead of just one.

Like this? Fund us!

Small Technology Foundation is a tiny, independent not-for-profit.

We exist in part thanks to patronage by people like you. If you share our vision and want to support our work, please become a patron or donate to us today and help us continue to exist.

Powered by Site.js

Site.js is a complete small technology tool for developing, testing, and deploying a secure static or dynamic personal web site or app with zero configuration. With Node.js, (soon) Hugo, and more bundled into a single binary.

Copyright

License

AGPL version 3.0 or later.

small-tech / should-i-pipe-it