logoalt Hacker News

atretteltoday at 4:38 PM5 repliesview on HN

I still have no comprehension of how curl piped into a shell command has become the default installation method for many projects (looking at you, Rust...). It breaks my brain as to how potentially unsafe it is.


Replies

barnabeetoday at 4:43 PM

Everyone’s eventually going to run a binary they downloaded from the same place, if you’ve already decided to do that, why is a curled install script worse?

show 2 replies
petcattoday at 5:37 PM

Every package manager does the same thing: run a script.

Would you feel safer if they offered a .deb? Do you unpack and inspect every .deb you install?

show 1 reply
da-xtoday at 4:45 PM

It's all about lowest friction + domain-name trust.

Depending on third party packaging (distribution-validated install) is much higher friction.

TZubiritoday at 6:20 PM

Those that ask for trust, deserve no trust.

thomastjefferytoday at 4:59 PM

It's because people are too obsessed with providing complete instructions to incorporate any package manager into their instructions.

What we are really missing is an explicit progression from new software to maintained packages across distribution. As it is, each distro expects each package to have a maintainer, and very few people actually want to do that across several distros just to release their software. Generally, the expectation is to instead just wait around for people to make and maintain those packages by virtue of their own interest in your software, but it takes a while, and discoverability isn't automatic.