Installation via curl
Learn how to securely install software using the curl | zsm pattern.
One of the primary goals of ZSM is to provide a safe alternative to the dangerous curl | bash pattern. With ZSM, you get the convenience of one-liner installations with the security of a supervised sandbox.
The Pattern
To install software from a remote ZSM script, use the following command:
curl -fsSL https://example.com/install.zsm | zsmHow it Works
When you pipe a script into ZSM, the tool performs the following steps:
- Source Identification: ZSM reads the
# :: urlheader from the piped input to identify the script source. - Security Audit: ZSM parses the declarative headers and displays a summary of all requested permissions (Network, Filesystem, External Tools).
- Unique Approval: ZSM checks its local cache (
~/.cache/zsm) for a previous approval of this specific script and version. - Interactive TTY Prompt: If not cached, ZSM opens
/dev/ttyto ask for your permission. This ensures you can interact with the prompt even thoughstdinis busy reading the script. - Supervised Execution: Once approved, ZSM executes the script logic while enforcing the approved sandbox.
Advantages over curl | bash
| Feature | curl | bash | curl | zsm |
| :--- | :--- | :--- |
| Trust Model | Blind Trust | Capability-Based |
| Auditability | Read 100s of lines of code | Review simple headers |
| Persistence | Re-runs code every time | Remembers your approval |
| Supervision | Full system access | Blocked unless approved |
Using with Dry-Run
You can safely test a remote installation script before committing to it by adding the --dry-run flag:
curl -fsSL https://example.com/install.zsm | zsm --dry-runZSM will show you exactly what it would have done without touching your system.
2026 © All Rights Reserved.
- All the content is available under CC BY-SA 4.0, expect where otherwise stated.
- Source code is available on GitLab, licensed under Apache 2.0.
Last updated on