Skip to content

docs: replace insecure curl | bash with pinned versions and verification #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hessius merged 3 commits into from
Feb 9, 2026
Merged

docs: replace insecure curl | bash with pinned versions and verification #161

hessius merged 3 commits into from
Feb 9, 2026

Conversation

Copy link
Contributor

Copilot AI commented Feb 9, 2026
edited
Loading

README recommended curl | bash from unstable main branch and referenced non-existent installation scripts removed in Phase 6 cleanup.

Changes

Security fixes:

  • Replaced curl | bash from main with git clone as primary method
  • Alternative download method now uses pinned commit hashes with verification steps
  • Added explicit security warnings and file inspection guidance

Corrections:

  • Fixed docker-compose.unified.ymldocker-compose.yml
  • Removed references to deleted scripts (scripts/install.sh, scripts/migrate-to-unified.sh)
  • Added examples for METICULOUS_IP configuration

Before:

curl -fsSL https://raw.githubusercontent.com/hessius/MeticAI/main/scripts/install.sh | bash

After:

# Primary: transparent and verifiable
git clone https://github.com/hessius/MeticAI.git
cd MeticAI
# create .env, then: docker compose up -d

# Alternative: pinned commit with verification
COMMIT_HASH="104d7c5"
curl -fsSL "https://raw.githubusercontent.com/hessius/MeticAI/${COMMIT_HASH}/docker-compose.yml" -o docker-compose.yml
cat docker-compose.yml  # inspect before executing
sha256sum docker-compose.yml  # verify integrity

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Feb 9, 2026
Merged
Copilot AI and others added 2 commits February 9, 2026 18:24
@hessius
docs: improve installation security with pinned versions and integrit…
dc02491 
…y checks

Address security feedback from PR #155:
- Remove curl | bash from unstable 'main' branch
- Replace with git clone as primary method (safer, more transparent)
- Add alternative method with commit hash pinning
- Include explicit security warnings
- Add file verification steps (review file, checksum)
- Fix incorrect filename (docker-compose.unified.yml → docker-compose.yml)
- Document best practices for downloading configs

Fixes #155 (comment)

Co-authored-by: hessius <1499030+hessius@users.noreply.github.com>
@hessius
docs: improve installation examples with better guidance
1bb1c18 
- Add link to GitHub commits page for finding latest commit hash
- Clarify that commit hash is an example that should be updated
- Provide example values for METICULOUS_IP (hostname and IP address)
- Make placeholders more helpful with inline comments

Co-authored-by: hessius <1499030+hessius@users.noreply.github.com>
Copilot AI changed the title [WIP] WIP: Address feedback on Phase 6 cleanup and documentation updates docs: replace insecure curl | bash with pinned versions and verification Feb 9, 2026
@hessius hessius marked this pull request as ready for review February 9, 2026 18:27
Copilot AI requested a review from hessius February 9, 2026 18:27
@hessius hessius merged commit 3fb9bec into feature/136-phase6-cleanup Feb 9, 2026
@hessius hessius deleted the copilot/sub-pr-155-again branch February 9, 2026 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hessius hessius Awaiting requested review from hessius

Assignees

@hessius hessius

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hessius