[dbacar]

This is one of the main reasons people like Podman. Docker has this "feature" but as far as I remember, it needed some obscure configuration. I guess they don't add it as default as it will break many current setups.

[0xbadcafebee]

  curl -fsSL https://get.docker.com/rootless | sh

[MrDrMcCoy]

Please stop spreading this toxic curl|sh nonsense. It's wildly corrosive to security and system stability.

[gruez]

Is it really that much worse than using a package manager that drops a binary that you're not going to inspect anyways?

[LelouBil]

Yes, it is worse because using your package manager trusts your distribution (and the packages packager), doing curl bash trusts a random website.

While in this case docker is not a random website, it's best to use the package manager when available

[curt15]

> Yes, it is worse because using your package manager trusts your distribution (and the packages packager), doing curl bash trusts a random website.

Is installing docker from docker own APT repo actually safer than curling a binary from docker's website?

[LelouBil]

Like a sibling comment said, at least you can be sure that updates you will download are provided by the same entity, since the repositories are signed.

[KaiserPro]

To just hammer that home:

each package is signed by the person who packages it. That means that if you are pulling from a random place, you can be reasonably sure its the same package because the keys verify.

As pointed out piping curl to bash is problematic. Sure you can go to a browser and check the output, but one of the more fun hacks is detecting if curl pipeing to bash server side and dynamically re-writing the script during serving.

tldr: So long as the package keys are verifiable, you can download a packge from a random mirror and be reasonably sure that it came from who it says it did.

Curl you have no hope, and its possible to infer during execution that you are piping to bash.

[gruez]

>each package is signed by the person who packages it. That means that if you are pulling from a random place, you can be reasonably sure its the same package because the keys verify.

Who's downloading packages from untrusted sources but somehow have a trusted way to get the signing key? Say you want to install claude code and not use the `curl ... | bash` install method. Good thing claude provides instructions for installing via apt[1]! But what do those instructions tell you to do? It tells you to download a key from downloads.claude.ai, then add the same domain to your apt sources list. So at the end of the day, you're still trusting that downloads.claude.ai hasn't been compromised.

[1] https://code.claude.com/docs/en/setup#install-with-linux-pac...

[0xbadcafebee]

Actually it is much worse, I agree with the commenter

[MrDrMcCoy]

Packages are signed, and contain manifests to check for file conflicts and help with cleanly uninstalling. The script installer might make bad assumptions during install that a package manager would catch.

[karel-3d]

this is a thread about agents that run random things on your computer as root because they feel like it. curl|sh somehow seems mild in comparison

[HDBaseT]

Whilst true, you can pretty easily assume and validate the result of that command.

[m463]

That and podman lets you configure away from docker.io.

[3abiton]

Podman has lots of underappreciated features, and it's fully open-source!

[vixalien]

hmmm, care to tell us a few of them?

[dada216]

I would also add buildah and skopeo to the mix of things that podman does better. also, podman desktop has better licensing that docker desktop. podman is modular and as such they could easily change the way they do networking over time, for once it doesn't break iptables and firewall rules by design but rather works together with the security design around these tools.

[blcknight]

Kube play and quadlets are cool

[dbacar]

Apart from rootless, main winning point is daemonless running of the containers. There is no podman service.

[evertheylen]

Running systemd inside a container + automatic SELinux integration