Comment by chlorion

>The curl|sh workflow is no more dangerous that downloading an executable off the internet

It actually is for a lot of subtle reasons, assuming you were going to check the executable checksum or something, or blindly downloading + running a script.

The big thing is that it can serve you up different contents if it detects it's being piped into a shell which is in theory possible, but also because if the download is interrupted you end up with half of the script ran, and a broken install.

If you are going to do this, its much better to do something like:

    sh -c "$(curl https://foo.bar/blah.sh)"

Though ideally yes you just download it and read it like a normal person.