Re: [PATCH] cksum: add --check-stream=CHECKSUM flag

[Michael Greenberg]

On 2024-12-16 at 03:12:07 AM, Akihiro Suda wrote:

>> BTW I don't fully understand the use case. I presume it's not for security
>> as if one could compromise the install.sh, presumably one could
>> compromise the checksum in the instructions. So I'm presuming it's
>> for extra resiliency or something?
>
> The instructions are often duplicated to third-party documents, blogs,
> books, etc., and also archived in web.archive.org.
> So there is a huge chance that the compromise of the checksum can be detected.

It's worth adding, for clarity/posterity: checking a checksum first
ensures you don't run partial scripts.

The shell is line-oriented, so an incomplete download piped to `sh` will
run... something. It can be hard to know exactly which effects to undo
in such a case!

The `sponge` utility (e.g., in Debian's moreutils package) is another
way to avoid the problem of partial scripts.

Cheers,
Michael