Skip to main content

Pipe to Bash

·2 mins

Go visit the website any of your favourite AI agent or tool. Navigate to installation instructions.

It’s very likely going to be a form of: curl URL | bash or npm i -g. Claude Code, OpenCode, Codex, Pi - all of them. I get it, it’s convenient.

Thing is, even if you “trust” the provider, you can’t rule out supply chain attacks. npm is already notorious on that front. Despite a prolonged effort by the npm folks to clean this up, the problem remains that contaminating the supply chain remains and has become ever so lucrative. And if things couldn’t get worse, now there’s hundreds of published vibecoded software that recommend the same process. The unsafe behaviour seems to have become the de facto way to install any software.

What’s changed? #

In the past, things were also simpler and more difficult. If you are on Linux (like me) - you’d get your packages from repositories. The package maintainer was usually not the developer and a big emphasis was placed on shipping with trust.

There is no one size fits all solution, though and with the rise in shipped software, not every package can reasonably be bundled by the distro itself. We are left with a few options:

  • Ship binaries, let the user figure out which one to download matching their architecture and OS, where to place it and how to run it.
  • Redirect them to a secondary package manager - brew, Snap etc.
  • Write a script that combines either of these - which is how we end up with curl | bash

It’s obvious which one ended up winning - convenience.

What can we do? #

Honestly, I’m not sure. AI is here to stay, vibecoded software is further going to explode. Maybe we’ll be at a point where the default way to run software will have to be in a sandbox or MicroVM. At the same time, I believe the worst is really yet to materialise.

(Note: This post was written by a human)