Nightly WebKit builds

The WebKit team announced a new site today where you can download nightly builds of the latest WebKit – very cool. I went ahead and wrote the following simple shell script to automate the process of downloading and installing the latest build:

#!/bin/sh

curl -o /tmp/webkit.dmg http://nightly.webkit.org/builds/Latest-WebKit-CVS.dmg

hdiutil mount /tmp/webkit.dmg

if [ -d /Volumes/WebKit/WebKit.app ]; then 
    rm -rf /Applications/WebKit.app
    cp -pR /Volumes/WebKit/WebKit.app /Applications/
fi

hdiutil detach /Volumes/WebKit

Sure, it could be a little more robust (or you might prefer one of the other two builds), but it works. Put this in a new file, chmod +x it, and drop it into /etc/daily to have it run each morning.

(updated 2005-12-21 to reflect new webkit packaging and fix minor bugs)

Comments and responses

This script is insecure because it not only runs with root privileges but also writes to a predictable filename in a world-writeable directory. Someone could put a nasty link at “/tmp/webkit.dmg” which could result in you unwittingly overwriting or modifying an important file elsewhere on the filesystem. Even if you are the only person who uses your machine, you should probably get out of the habit of writing insecure shell scripts.
This script is insecure because it not only runs with root privileges
Well, the script itself can be run as any user. It would only run as root if you use /etc/daily to have it run automtically (which I suggested only because it's the easiest). There are of course numerous other ways you could run the script as a non root user, such as from a user's cron job or a launchd script (which would probably be the best way really).
Someone could put a nasty link at “/tmp/webkit.dmg� which could result in you unwittingly overwriting or modifying an important file elsewhere on the filesystem.
Actually, it would only replace the link itself. I just experimented with both a soft link and hard link, and in both cases the link was replaced while the original file elsewhere on the file system was untouched. I'd be interested in hearing instructions for replicating the kind of behavior you described (though I'm pretty sure it's not possible).

Is it insecure? arguably, but I don’t think so. Is it the best way to go about it? Perhaps not. There’s a comment on the original article about a product called NightShift that seems to do basically the same thing (though I’ve not looked at it, and can’t really speak as to how good it is).

@AlthA: Perhaps you missed the last paragraph of my last comment where I mentioned NightShift. After downloading it and looking at it, the main additional thing it seems to support is backing up the last copy of WebKit. That could be added to this script with one additional line, but I didn’t see it as a huge thing. I find it a little silly when people write full Cocoa apps to do something that can just as easily be done with a 7 line bash script. I guess I’m just more comfortable at a command line – to each their own.