@christmastree social.treehouse.systems/@marc

TL;DR using a commercial CDN is more secure than piles of random third-party volunteer mirrors when you don't have an automated chain of trust system (like when you're just offering ISO downloads with a SHA hash that most users won't bother to verify).

curl|sh, by virtue of executing code, actually allows you/any distro to establish an automated chain of trust and not even have to trust the mirrors, though we don't do that yet ourselves since our attack surface is small since we use a CDN anyway. For distros that insist on the random mirror approach, *switching* to a curl|sh script served from the home page that chooses a mirror, then downloads the file and verifies it, would indeed increase their security.