[matthewaveryusa]

Can you explain to me the fundamental difference between this and sudo apt-get install? Note that the curl command is on an https resource. Yes if the https server is compromised there's a problem, but that's true with any other delivery method.

I'm being facetious as the answer is there isn't one

[ryukafalz]

>Yes if the https server is compromised there's a problem, but that's true with any other delivery method.

That's not correct. In most distros, installing packages from your distro's repositories has an additional security guarantee: the packages you download have their PGP signatures verified before installation. If an attacker compromises the web server and alters the package, your package manager will reject it as it's not signed by a trusted key in your keyring.

[robolange]

That is true for distribution-hosted repositories. But how many web sites are there that are like, "Add this line to sources.list, then run this apt-key command, and then run apt-get install our-app." So few people bother to check for a web of trust for the proffered key (or even know how to, or even grok the concept) that there is little functional difference.

[pferde]

So if other people do it too, it's automatically good?