[digitalsushi]

This is an incredible tool.

As a child in the 1980s we'd go for long walks in the woods. One time a friend brought a pair of 30 inch bolt cutters with him, you know, as a personality extension. And of course, there was some dubious reason to use them, and he was a hero for being over-provisioned.

A solution like this is those bolt cutters - I can admire it, but the odds I'm out on a walk with it, is very, very low.

Now if you work in a bolt factory, sure, this can run on every laptop, every user account, every environment.

But I'd hope my edge firewalls are L7 scanning for cyrillic 'i' in my domains cause otherwise I'm just gonna connect and get myself hacked.

[jbstack]

Also there's always the risk that the bolt cutter has a defect (perhaps deliberately introduced at some point when it was manufactured) which will cause you more damage than the thing you're trying to prevent by carrying it.

I'm personally a bit wary of introducing a relatively obscure security tool into my setup, to protect against a rare possible attack. The chance that I'll get caught copy-pasting a compromised URL into my terminal is fairly small, and there's also a small chance I'll compromise my system either now or at some later point via a supply chain attack if I use the tool. Which chance is bigger?

[queenkjuul]

Is there really a supply chain vulnerability of you inspect the app and never update it?

This is, for me, a "set and forget" kind of tool -- why would i need to update a script?

[jbstack]

Are you really inspecting every app you install, including all its dependencies, and the dependencies of those dependencies, to a level of detail sufficient to identify sophisticated and obfuscated backdoors?

In the real world, nobody does this. Instead, you make a conscious choice to trust the apps that you install. Every decision of whether to install an app is a tradeoff between (a) the risk that that trust is misplaced, and (b) the benefits of the app.