[dhuramas]

I recall two other popular projects doing the curl xyz| bash approach

Rust[0] Chef [1]

And here is an old HN comment[2] going into why it doesn't really matter.

Besides it's a Show HN- why be negative when we can raise the same issue more constructively as "Please add checksums and digital signatures. Also why not use regular GitHub releases in the installation instructions?"

[0] https://doc.rust-lang.org/book/ch01-01-installation.html [1] https://docs.chef.io/install_omnibus.html [2] https://news.ycombinator.com/item?id=12766049

[dmix]

RVM requires GPG keys which is the way to do it properly: https://rvm.io/

[hestefisk]

Exactly. A hash to verify the authenticity of the file / binary itself is what’s missing. Https is not enough.

[the-dude]

Brew