[jacobscott]

If the script source is on github and isn't run under sudo, is there a meaningful difference between curl | sh and apt-get install from a PPA, gem/pip install, etc?

[whorleater]

Meaningful? In most cases no, but since we're already talking about security, curl'ing the shell script from github exposes you to another attack vector, like MITM'ing the script.

[jacobscott]

The software has to be distributed somehow, right? Probably over https? What makes curl more susceptible to MITM than apt-get/pip/gem/etc?

I don't particularly like curl | sh either, but without sudo, I'm not sure how much it /really/ differs, security wise, from other options.

Edit: real package managers have improved features compared to curl, as outlined in another branch of the comments.

[dchanm]

If you want to be extra cautious you can verify that the script hasn't changed with our release key

https://patchworksecurity.com/releases.txt

The latest release (2.0.0) has been signed by my key 0x85C64E20