Given you're about to run a binary, it's no worse than that.

They did say it was inspired by cargo, which is often installed using rustup as such:

    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

I don’t love this approach either (what a security nightmare…) - but it is easy to do for users and developers alike. Having to juggle a bunch of apt-like repositories for different distros is a huge time sink and adds a bunch of build complexity. Brew is annoying with its formulae vs tap vs cask vs cellar - and the associated ruby scripting… And then there’s windows - ugh.

I wish there was a dead simple installer TUI that had a common API specification so that you could host your installer spec on your.domain.com/install.json - point this TUI at it and it would understand the fine grained permissions required, handle required binary signature validation, manifest/sbom validation, give the user freedom to customize where/how things were installed, etc.

This is fitting for something simulating cargo, which is a huge supply chain risk itself.

[flagged]