[TacticalCoder]

> My mind still cannot understand the quality and refinement that's gone into cURL. It really is the perfect example of something done so right, that people barely think twice about.

And all that to then end with people doing: "curl ... | bash" and not seeing anything wrong about it. Then they'll deflect about "threat models" and other non-sense.

I leave you your curl-bash, I keep my cryptographically signed packages installer.

[billyoneal]

I am also a signing fanboi but I have to point out that the security problem of curl into bash is not really addressed by signing. Signing proves that the component was produced by who claimed produced it. It says nothing about that component being legitimate or non-malicious. As long as the curl bash uses TLS it’s going to be pretty similar for all practical purposes.