My main question is in 90% of cases these are installers. How are you actually verifying the software that you install? In some cases it is signed and verified but in many cases it is just coming down from the same HTTPS server with no additional verification. So are you then diffing the code (which may be compiled) as well?
I'm not saying that random running random installers from the internet is a great pattern. Something like installing from your distribution can have better verification mechanisms. But this seems to add very little confidence.
a10r · 9h ago
You're absolutely right—vet's scope is focused on securing the installer script itself, not the binary it downloads.
The goal is to prevent the installer from being maliciously modified to, for example, skip its own checksum verification or download a binary from a different, malicious URL.
It's one strong link in the chain, but you're right that it's not the whole chain.
No comments yet
shivawu · 3h ago
The other thing is.. installer generally only runs once on a single machine, not sure how useful it is to “show the changes since last run”
ajross · 1h ago
> How are you actually verifying the software that you install?
By installing it through a well-audited, cryptocraphically-signed and community-maintained package list with a solid security history. What?
The bug here isn't that "it's hard to make downloading scripts secure!", it's that people on macs (and a few other communities, but really it's just OS X culture at fault here) insist on developing software with outrageous hackery like this and refuse to demand better from their platform.
Fix that. Don't pretend that linting (!!) shell scripts pulled off the open internet is going to do anything.
3abiton · 8h ago
This an amazing solution. I wondered about this often, looking at you `uv`, but in a lot of the cases I cave given that everyone else trust some code maintainers.
thealistra · 8h ago
Can you show how it works on the page or readme as a video?
Does it open pager or editor? How does it show the shellcheck issues.
gardnr · 9h ago
This is a great idea!
One extra feature could be passing the contents of the shell script to an LLM and asking it to surface any security concerns.
alganet · 8h ago
What if someone peppers their malicious script with `# shellcheck disable=` pragmas?
a10r · 9h ago
Love the idea!
The two biggest hurdles for a security tool like this are LLM non-determinism and the major privacy risk of sending code to a third-party API.
This is exactly why vet relies on ShellCheck—it's deterministic, rules-based, and runs completely offline. It will always give the same, trustworthy output for the same input.
But your vision of smarter analysis is absolutely the right direction to be thinking. I'm excited for a future where fast, local AI models can make that a reality for vet. Great food for thought!
No comments yet
charcircuit · 2h ago
This is somewhat flawed by not automatically happening when a user does curl | bash. Windows is able to automatically scan files when the user goes to install them.
a10r · 10h ago
Hi HN, I'm the creator of `vet`. I've always been a bit nervous about the `curl | bash` pattern, even for trusted projects. It feels like there's a missing safety step. I wanted a tool that would show me a diff if a script changed, run it through `shellcheck`, and ask for my explicit OK before executing. That's why I built `vet`.
The install process itself uses this philosophy - I encourage you to check the installer script before running it!
> I wanted a tool that would show me a diff if a script changed, run it through `shellcheck`
Why? What exactly do you think "shellcheck" does? When do you think you're diffing and what do you think you are diffing with?
> and ask for my explicit OK before executing.
But to what end? You're not better informed by what the script does with this strategy.
A small shell script like yours I can read in a minute and decide it does nothing for me, but large installers can be hard to decipher since they are balancing bandwidth costs with compatibility, and a lot of legitimate techniques can make this hard to follow without care and imagination.
> The install process itself uses this philosophy - I encourage you to check the installer script before running it!
I don't understand what philosophy you're talking about.
I think you're doing the exact same thing that malicious attackers do, you're just doing it worse:
You're getting it: I think your program sucks, but I also like the idea of trying to do something, and I understand you just don't have any idea what to do or what the problem actually is.
So let me teach you a little bash:
check () {
echo "> $BASH_COMMAND" >&2
echo -n "Allow? (yes/no) " >&2
select c in yes no
do
if [ "$c" = "yes" ]
then break
elif [ "$c" = "no" ]
then return 1
fi
done
}
shopt -s extdebug
trap check DEBUG
This little scriptlet will wait until bash tries to run something, and ask before proceeding. Simples. Put this in front of an installer (or something else messy) and get step-by-step confirmation of what's going on. Something like this is in the BASH manual someplace, or was once upon a time.
In a large script this might annoy people, so if it were me, I would have a whitelist of commands that I think are safe, or maybe a "remember" option that updates that script. I might also have a blacklist for things like sudo.
While I'm on the subject of sudo, a nasty trick bad guys use is get you to run sudo on something innocuous and then rely on the cached credentials to run a sneaky (silent) sudo in the same session. Running sudo -k before interacting with an unknown program can help tremendously with this.
__MatrixMan__ · 5h ago
I'm glad to see that I'm not the only person worried about this. It's a pretty glaring bit of attack surface if you ask me. I chuckled when I saw you used nvm as an example in your readme. I've pestered nvm about this sort of thing in the past (https://github.com/nvm-sh/nvm/issues/3349).
I'm a little uncertain about your threat model though. If you've got an SSL-tampering adversary that can serve you a malicious script when you expected the original, don't you think they'd also be sophisticated enough to instead cause the authentic script to subsequently download a malicious payload?
I know that nobody wants to deal with the headaches associated with keeping track of cryptographic hashes for everything you receive over a network (nix is, among other things, a tool for doing this). But I'm afraid it's the only way to actually solve this problem:
1. get remote inputs, check against hashes that were committed to source control
2. make a sandbox that doesn't have internet access
3. do the compute in that sandbox (to ensure it doesn't phone home for a payload which you haven't verified the hash of)
charcircuit · 1h ago
Vet only downloads once, so what do you mean by subsequent download?
Also hashing on inputs is brittle and will break anytime the developer pushes an update. You want to trust their certificate instead.
nodesocket · 5h ago
This looks great and all, but trying to read and digest a multi hundred line bash script seems unrealistic. Full send pipe into bash.
sgarland · 4h ago
And this is why this exploit mechanism works so well.
Most installers are doing the same basic patterns: checking for dependencies, checking the distro, etc. It’s not hard to figure these out and spot them in different scripts.
I'm not saying that random running random installers from the internet is a great pattern. Something like installing from your distribution can have better verification mechanisms. But this seems to add very little confidence.
The goal is to prevent the installer from being maliciously modified to, for example, skip its own checksum verification or download a binary from a different, malicious URL.
It's one strong link in the chain, but you're right that it's not the whole chain.
No comments yet
By installing it through a well-audited, cryptocraphically-signed and community-maintained package list with a solid security history. What?
The bug here isn't that "it's hard to make downloading scripts secure!", it's that people on macs (and a few other communities, but really it's just OS X culture at fault here) insist on developing software with outrageous hackery like this and refuse to demand better from their platform.
Fix that. Don't pretend that linting (!!) shell scripts pulled off the open internet is going to do anything.
Does it open pager or editor? How does it show the shellcheck issues.
One extra feature could be passing the contents of the shell script to an LLM and asking it to surface any security concerns.
The two biggest hurdles for a security tool like this are LLM non-determinism and the major privacy risk of sending code to a third-party API.
This is exactly why vet relies on ShellCheck—it's deterministic, rules-based, and runs completely offline. It will always give the same, trustworthy output for the same input.
But your vision of smarter analysis is absolutely the right direction to be thinking. I'm excited for a future where fast, local AI models can make that a reality for vet. Great food for thought!
No comments yet
The install process itself uses this philosophy - I encourage you to check the installer script before running it!
I'd love to hear your feedback.
The repo is at https://github.com/vet-run/vet
Why? What exactly do you think "shellcheck" does? When do you think you're diffing and what do you think you are diffing with?
> and ask for my explicit OK before executing.
But to what end? You're not better informed by what the script does with this strategy.
A small shell script like yours I can read in a minute and decide it does nothing for me, but large installers can be hard to decipher since they are balancing bandwidth costs with compatibility, and a lot of legitimate techniques can make this hard to follow without care and imagination.
> The install process itself uses this philosophy - I encourage you to check the installer script before running it!
I don't understand what philosophy you're talking about.
I think you're doing the exact same thing that malicious attackers do, you're just doing it worse:
I mean your script knows about wget, but your server doesn't. Sad. I also think you should be telling people to pull "https://github.com/vet-run/vet/blob/main/scripts/install.sh" instead of trying to be cute, but that's just me.> I'd love to hear your feedback.
You're getting it: I think your program sucks, but I also like the idea of trying to do something, and I understand you just don't have any idea what to do or what the problem actually is.
So let me teach you a little bash:
This little scriptlet will wait until bash tries to run something, and ask before proceeding. Simples. Put this in front of an installer (or something else messy) and get step-by-step confirmation of what's going on. Something like this is in the BASH manual someplace, or was once upon a time.In a large script this might annoy people, so if it were me, I would have a whitelist of commands that I think are safe, or maybe a "remember" option that updates that script. I might also have a blacklist for things like sudo.
While I'm on the subject of sudo, a nasty trick bad guys use is get you to run sudo on something innocuous and then rely on the cached credentials to run a sneaky (silent) sudo in the same session. Running sudo -k before interacting with an unknown program can help tremendously with this.
I'm a little uncertain about your threat model though. If you've got an SSL-tampering adversary that can serve you a malicious script when you expected the original, don't you think they'd also be sophisticated enough to instead cause the authentic script to subsequently download a malicious payload?
I know that nobody wants to deal with the headaches associated with keeping track of cryptographic hashes for everything you receive over a network (nix is, among other things, a tool for doing this). But I'm afraid it's the only way to actually solve this problem:
1. get remote inputs, check against hashes that were committed to source control
2. make a sandbox that doesn't have internet access
3. do the compute in that sandbox (to ensure it doesn't phone home for a payload which you haven't verified the hash of)
Also hashing on inputs is brittle and will break anytime the developer pushes an update. You want to trust their certificate instead.
Most installers are doing the same basic patterns: checking for dependencies, checking the distro, etc. It’s not hard to figure these out and spot them in different scripts.