[lpln3452]

No. It is absolutely ridiculous to suggest that one must read some unknown script just for the simple task of adding a binary to the directory on PATH. Unless, of course, you're the type of person who just runs any script without verification.

Furthermore, for files installed 'automatically' like that, it's nearly impossible to remember what was done and where. This means that to remove it, you have to find and read 'that specific version' of the script you ran, and then delete the files. It's not like the script is always in a place with a persistent history, like a git repository. Good luck with that.

[IshKebab]

Yeah uninstallation is a flaw, but what alternative are you suggesting?

And yes I am the type of person that uses heuristics to trust what software to run. You aren't magically safer if you audit the install script and not the actual binary.

[lpln3452]

The smaller the attack surface, the better. There is no need to expand it unnecessarily. By your logic, we shouldn't even use the binaries provided by the official package manager, because they also cannot be trusted.

We are talking about the dangers of the installation method. Not the program itself.

[IshKebab]

> We are talking about the dangers of the installation method. Not the program itself.

It only makes sense to separate them if you install the program and then never run it which is obviously ridiculous.

> There is no need to expand it unnecessarily.

I agree, but it is necessary because there aren't any good alternatives.

Also it is very minimal additional risk. If it wasn't we'd see it used as an attack method and as far as I know that has yet to happen once.