A Safer Curl | Bash for the Cloud

Porter is a safer alternative to curl pipe bash for cloud-native deployments

• Porter helps create bundles with just one file and structured metadata to pass data between steps
• Bundles borrow security features from existing tools and can be scanned for vulnerabilities
• Porter can check bundle signatures and verify trusted publishers
• Porter explain shows what's in the bundle and how to run it
• Porter install is always the same command regardless of the tech stack
• Bundles can help with quick starts, customer installations, troubleshooting, and backups

Bundles are useful for side projects where infrastructure and secrets are set up and then forgotten. With bundles, the logic for deploying an app can be captured and saved, so when returning to the project later, progress is not lost trying to re-figure out what was done. Bundles can also be shared among team members to pick up where someone left off without explicit handoff.

Most of us have used curl to download a script and run it immediately. Using curl | bash provides instant gratification. We can quickly get up and running with an application without requiring a steep learning curve or a strong attention span. Unfortunately, the common advice is that this is not safe! But what if it was?Let's walk through how we can work with people's natural tendencies, keep the one-liner and make it more secure. We will use Porter and Notary to transform an example cloud-native application deployment from a dicey bash script, executed with bash and hope, into a safer one-liner installation that was designed to be used in production.You will learn:Why curling a script to bash is insecure, and why bundles mitigate those risks.How to reuse existing tools and scripts in a bundle, without starting over from scratch.What a safer one-line user experience could look like.