|
|
|
|
|
|
by andrewaylett
833 days ago
|
|
|
The counterpoint would be: you're intending to run their code, if it's malicious then you're hosed anyway. In bygone times, one might suffer from a truncation attack or otherwise end up running arbitrary code that's not what the vendor intended. Nowadays, there's really no security difference in curl|bash vs downloading a package and running it. Or, indeed, installing using `cargo install`. That doesn't mean I'm happy running it, but my argument against it is less a security argument and more a predictability one: I want to be able to cleanly uninstall later, and package managers normally provide more consistent support for uninstalling than an arbitrary shell script. |
|
|