Gregory's Server@portaloffreedom @marcan I don’t see this as a counter-argument against curl|bash—if you’re pulling a malicious project or from a compromised backend, it’s already game over anyway? It’s no different from pulling a random software dependency from whatever registry your ecosystem offers.
|
2 comments
 @portaloffreedom @swapgs There are very good reasons to distribute software via repositories, which is why the App Store exists. But sometimes the vendor-blessed repository isn't suitable (e.g. more traditional FOSS packages), and then what do you do? Install an alternate repository (Homebrew) or a whole new OS with its own package manager (Fedora Asahi). And in both of those cases, you use curl|sh to do it :) |
@swapgs
@marcan
The only difference for me being that creating a website for a malicious project and paying google to spam people to download it is much easier than having a package in a repository.
But this discussion is super interesting, I didn't expect to get my base ideas on software distributions being challenged this deeply today.