• davehtaylor@beehaw.org
    link
    fedilink
    arrow-up
    39
    ·
    4 months ago

    Might be neat. Might check it out. But devs really need to stop asking me to install things by curling a script and piping it into my shell. There are better ways to do this. Doing this leaves a massive possible attack surface.

    • erwan@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      4 months ago

      No matter how they package it, running a binary downloaded from Internet has the same attack surface

      • 4dpuzzle@beehaw.org
        link
        fedilink
        English
        arrow-up
        5
        ·
        4 months ago

        You are right, except for one detail. Package managers almost always validate the packages using digital signatures, to avoid man-in-the-middle attacks. You don’t need to trust the network anymore. Shell scripts piped to a shell don’t have that protection. You still have to trust the developers and maintainers, though.

    • shaked_coffee
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      4 months ago

      Agree. Not at all a security expert here, but maybe doing it inside a distrobox could be a temporary fix?

      Forget it, I just tried and it seems it gets installed in your home directory so using distrobox doesn’t change anything (apparently, but as I said I’m not an expert so feel free to correct me if I’m wrong).

      However, I’ve seen they also have it available through a bunch of package managers like nix, arch and Fedora