Docs feedback: gitlab recommending a BAD/INSECURE practice
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
On various doc pages describing the installation of the gitlab runner, there appears snippets which end by piping a file from the internet to a shell:
https://docs.gitlab.com/runner/install/linux-manually.html
curl -sSL https://get.docker.com/ | sh
https://docs.gitlab.com/runner/install/linux-repository.html
curl -L https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh | sudo bash
This is a HORRIBLE practice, and gitlab should be ASHAMED for recommending this sort of usage. A user SHOULD NEVER pipe something from the internet directly to a shell; that's just plain idiotic from a security standpoint. Plus, you're now training users that this is an acceptable way to run scripts; what happens when a user learns this functionality from you, then applies it elsewhere? YOU are culpable.
You should seriously consider re-writing the docs to suggest that the user download the file to disk, verify its checksum (preferably SHA-256 at a minimum), and then run the script. Anything less and you're promoting BAD PRACTICES. Frankly, makes me question whether you take security seriously at all, and where else you use bad practices.