[whorleater]

Yeah telling us to blindly run a shell script is...a quirky design choice. At least it doesn't tell you to run it with sudo like I've seen some other ones do, and the shell script itself is sanely commented.

[jacobscott]

If the script source is on github and isn't run under sudo, is there a meaningful difference between curl | sh and apt-get install from a PPA, gem/pip install, etc?

[whorleater]

Meaningful? In most cases no, but since we're already talking about security, curl'ing the shell script from github exposes you to another attack vector, like MITM'ing the script.

[jacobscott]

The software has to be distributed somehow, right? Probably over https? What makes curl more susceptible to MITM than apt-get/pip/gem/etc?

I don't particularly like curl | sh either, but without sudo, I'm not sure how much it /really/ differs, security wise, from other options.

Edit: real package managers have improved features compared to curl, as outlined in another branch of the comments.

[dchanm]

If you want to be extra cautious you can verify that the script hasn't changed with our release key

https://patchworksecurity.com/releases.txt

The latest release (2.0.0) has been signed by my key 0x85C64E20

[yaworsk]

Looked at the site and read the comments which made me think about the HN post yesterday about hiding vulnerabilities in plain site (https://news.ycombinator.com/item?id=10889721). Like your idea though.

[dchanm]

Hi yaworsk,

We're working on improving our API documentation. You can develop against our API and not use the supplied client.

https://patchworksecurity.com/docs/

[yaworsk]

Oh nice! that's a great idea, thanks for sharing