Hacker News new | ask | show | jobs
by whorleater 3812 days ago
Meaningful? In most cases no, but since we're already talking about security, curl'ing the shell script from github exposes you to another attack vector, like MITM'ing the script.
2 comments
jacobscott 3812 days ago
The software has to be distributed somehow, right? Probably over https? What makes curl more susceptible to MITM than apt-get/pip/gem/etc?

I don't particularly like curl | sh either, but without sudo, I'm not sure how much it /really/ differs, security wise, from other options.

Edit: real package managers have improved features compared to curl, as outlined in another branch of the comments.

link
dchanm 3812 days ago
If you want to be extra cautious you can verify that the script hasn't changed with our release key

https://patchworksecurity.com/releases.txt

The latest release (2.0.0) has been signed by my key 0x85C64E20

link