[dngray]

One of the things which really annoys me is the idea that it's every acceptable to blindly "curl -fsSL" bullshit .sh scripts.

Even large companies have adopted this crap and you don't know whether there's any digital signing going on or whether they're downright stealing anything you have of value.

It's not difficult to generate a rpm, deb, tgz and relevant detatched .asc PGP signature or if you hate PGP use openssh signatures or something.

[SAI_Peregrinus]

How would providing a signed .deb help? You're still getting the attacker's public key, they can sign whatever they want.

Trusting distro maintainers to curate software in their repos can help, if you only ever install from the curated repos. If there's some software not in the repo which you need, then you can't rely on that trust. "Stable" distros like Debian are less likely to have all the necessary software in their repos, and the difficulty of getting software into a curated repo itself creates legitimate software that doesn't get into repos. That means "is this software in my distro's repository" can give a good signal that some software is safe, but can't give much signal that the software is unsafe.

[igor47]

Agreed. I was using mise to install Claude (via it's npm package) and keep it updated, and then they nagged me to switch to the 'curl | bash' method. Now I get to keep it updated manually, plus they helped train all my peers to continue just executing random scripts right off the Internet

[riidom]

Oh yes. Ok, that's probably on bash, but you look at the script and it's like 200 lines of code. Then you read the alternate install instructions and it goes like "download binary, make executable, add to $PATH, run" - ???