[trollbridge]

It's Apache licenced and you could also install it via your favourite package installer. Given all the crazy supply chain attacks going on, I don't really feel this is any worse than downloading a binary from a distro archive, and specifically this pipe | sh doesn't expect you to run it as root (which a lot of other cut-and-paste installers do).

[xorcist]

> I don't really feel this is any worse than downloading a binary from a distro archive

Please don't say that. It denigrates the work of all the packagers that actually keep our supply chains clean. At least in the major distributions such as Red Hat/Fedora and Debian/Ubuntu.

The distro model is far from perfect and there are still plenty of ways to insert malware into the process, but it certainly is far better than running binaries directly from a web page. You have no idea who have access to that page and its mirrors and what their motives are. The binary isn't even signed, let alone reviewed by anyone!

[trollbridge]

I’m not sure how much better this is the man blindly “npm i thing”, where I have no real assurance I’m not downloading a giant piece of malware either.

[da_chicken]

That's exactly why it's insane. People remember the pad-left fiasco.

Previously discussed here: https://news.ycombinator.com/item?id=11348798

Article now resides here: https://www.davidhaney.io/npm-left-pad-have-we-forgotten-how...