• davehtaylor@beehaw.org
    link
    fedilink
    arrow-up
    1
    ·
    4 months ago

    Might be neat. Might check it out. But devs really need to stop asking me to install things by curling a script and piping it into my shell. There are better ways to do this. Doing this leaves a massive possible attack surface.

    • erwan@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      No matter how they package it, running a binary downloaded from Internet has the same attack surface

      • 4dpuzzle@beehaw.org
        link
        fedilink
        English
        arrow-up
        0
        ·
        4 months ago

        You are right, except for one detail. Package managers almost always validate the packages using digital signatures, to avoid man-in-the-middle attacks. You don’t need to trust the network anymore. Shell scripts piped to a shell don’t have that protection. You still have to trust the developers and maintainers, though.