[subway]

After initially recoiling in horror at running a `curl|bash` installer, I opened the installer in a browser planning on reading the install script. "Helpfully" the script is served up as `binary/octet-stream`, so instead of looking at it in the browser, I got to open it in an editor.

From there, it looks like the script does little more than add the `rpmfusion-free-release`, `rpmfusion-nonfree-release` and `folkswithhats-release` repositories. Of course since we started the install process through a shady insecure means, we should add the repos the same way. So every repo gets added via `dnf -y --nogpgcheck install https://url-to-repo-release-package`.

I went to browse the `folkswithhats` repo, but found it's hosted on AWS S3 and doesn't provide a directory index.

[otto_ortega]

You are overly paranoid... The GitHub repo is literally the first thing that shows up when searching for "Fedy" on Google:

https://github.com/folkswithhats/fedy

If the "--nogpgcheck" bothers you, a simple text replace over the source code solves it.

Same with the "curl|bash" thing, you are not obligated to run it that way, you can just clone the repo and run it however you want, it is open source!

It is funny the way people overreact with things like this with projects that are open source but are ok installed closed source software and feel safe because they got them from the official repos...

[baggins367]

Your suggesting a solution for a very common use case many Fedora users have (i.e. installing skype, viber etc) in a New Release thread on a highly visible forum. This means many people could find and run this code, so I think its warranted to analyze its security instead of dismissing it. I agree it has some bad security practices, which are hard to trust in this day and age.

I don't mean to dump on this project or the people behind it, fair dues to them for putting it together to make peoples lives easier. But widely used software must be built and distributed securely.

Since it is GPL3, I wonder why the authors don't build and distribute it from COPR directly from github? It would solve the same problems, and make it easier to trust.