Email or username:

Password:

Forgot your password?
Hector's posts Post Back to profile
Top-level
Dek πŸ‘¨β€πŸš€πŸ§πŸš€

@marcan
I think the scariest thing is to make curl|bash normalized and then people running this from random websites for every single tool all the time. Then I don't have the same guarantees that a project like Asahi has.
Maybe a project is malicious, or their website is compromised.

I'm mostly scared about malicious project personally.

23 May at 10:52 | Wall-to-wall | Open on social.linux.pizza
3 comments
~swapgs

@portaloffreedom @marcan I don’t see this as a counter-argument against curl|bashβ€”if you’re pulling a malicious project or from a compromised backend, it’s already game over anyway? It’s no different from pulling a random software dependency from whatever registry your ecosystem offers.

23 May at 11:42 | Open on infosec.exchange
Dek πŸ‘¨β€πŸš€πŸ§πŸš€

@swapgs
@marcan
The only difference for me being that creating a website for a malicious project and paying google to spam people to download it is much easier than having a package in a repository.

But this discussion is super interesting, I didn't expect to get my base ideas on software distributions being challenged this deeply today.

23 May at 11:58 | Open on social.linux.pizza
Hector Martin

@portaloffreedom @swapgs There are very good reasons to distribute software via repositories, which is why the App Store exists. But sometimes the vendor-blessed repository isn't suitable (e.g. more traditional FOSS packages), and then what do you do? Install an alternate repository (Homebrew) or a whole new OS with its own package manager (Fedora Asahi). And in both of those cases, you use curl|sh to do it :)

23 May at 12:20 | Open on social.treehouse.systems
Go Up