Docs feedback: gitlab recommending a BAD/INSECURE practice
On various doc pages describing the installation of the gitlab runner, there appears snippets which end by piping a file from the internet to a shell:
https://docs.gitlab.com/runner/install/linux-manually.html
curl -sSL https://get.docker.com/ | sh
https://docs.gitlab.com/runner/install/linux-repository.html
curl -L https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh | sudo bash
This is a HORRIBLE practice, and gitlab should be ASHAMED for recommending this sort of usage. A user SHOULD NEVER pipe something from the internet directly to a shell; that's just plain idiotic from a security standpoint. Plus, you're now training users that this is an acceptable way to run scripts; what happens when a user learns this functionality from you, then applies it elsewhere? YOU are culpable.
You should seriously consider re-writing the docs to suggest that the user download the file to disk, verify its checksum (preferably SHA-256 at a minimum), and then run the script. Anything less and you're promoting BAD PRACTICES. Frankly, makes me question whether you take security seriously at all, and where else you use bad practices.