Explorer pHAT install script double failure

(I feel those are common issue to your installer that might occurs for any other board and unrelated to explorer)

I found a double issue with explorer pHAT install script. Where should I push this?

“curl -sS get.pimoroni.com/explorerhat | bash” failed on me by not waiting for my input at the question: "Do you wish to continue? [y/N]"
The reason is that I was on a over USB console:
pi@p1:~$ tty
/dev/ttyGS0

I had to do “curl -sS get.pimoroni.com/explorerhat > explorerhat.sh”.
Then “bash explorerhat.sh -y” to have $FORCE equal to “-y”.

But then the script failed to detect that pip was not installed and I had to do it manually…

If you want to reproduce (and you should) I did this on a PiZero using ClusterHat p1 image. Yes this is raspbian lite so stuff are missing, but one could except missing part would be downloaded. Then I connected with “screen” from my Mac. And my Mac was also sharing internet connectivity (so I. could download stuff and compare with SSH behaviour).

I think the simple solution would be to make defaults to be reversed. I’ll have a look to see if there are any drawbacks… it’s to an extend an arbitrary choice.

Incidentally I think the following would work:

curl -sS get.pimoroni.com/explorerhat | bash -s - "-y"

… though I can’t recommend using the -y flag it isn’t something that was build for common use, it is (at this stage at least) build more as a way to minimise duplication of steps when chaining multiple scripts.

Edit: that is fact why it failed to install pip for you

Juste to clarify, I don’t need help, I manually installed pip and then it worked.

What happened is that your install script fail to query the Y/N answer because it was running on a different kind of tty.

The same script in an SSH session was working.

I used the -y option as the script code showed it bypass the Y/N question. I did not check if that has other side effect.

So the reason for posting here is so that you can fix your script (or all of them) so that they work in more situation (different tty and no pip installed).

We’ll push changes that should help with this particular scenario next week. I just meant that you don’t have to write an intermediary file to be able to pass it an argument.

This is lobbying and political statement… It does not deserve an answer:

I save it to an intermediary file for 3 reasons:

  1. I need to check it before running it, I don’t want to blindly run code downloaded from the web.
  2. There was a bug so I needed to read the script anyway.
  3. The script is not explicitly downloaded from HTTPS.

That is why I am totally against your one liner solution that pipe curl into bash… Problem (3) also mean it is very easy for an attacker to inject code in any of your script for targeted attack. He does not even need to make a man in the middle attack to break TSL.

If Raspberry Pi is about educating to technology, then those install script are a bad service to the next generation of developer. IoT is already a security nightmare, let’s try to make it better, not worse.

you can feed the files over https, it is supported and we try to advertise as such wherever possible.

That said, I understand the concerns, and I totally agree that if you do not wish to run code blindly, then you should have the option not to. We provide that opt-out, and supply a warning for that very reason.

… so thank you for making the case for me NOT make changes to cater for your use case, since it would bypass the opt-out. Either way, thank you for your feedback!

Seriously…It’s a PI! Are you doing banking on it?

They say the best way to learn is by making mistakes…