[LelouBil]

Yes, it is worse because using your package manager trusts your distribution (and the packages packager), doing curl bash trusts a random website.

While in this case docker is not a random website, it's best to use the package manager when available

[curt15]

> Yes, it is worse because using your package manager trusts your distribution (and the packages packager), doing curl bash trusts a random website.

Is installing docker from docker own APT repo actually safer than curling a binary from docker's website?

[LelouBil]

Like a sibling comment said, at least you can be sure that updates you will download are provided by the same entity, since the repositories are signed.

[KaiserPro]

To just hammer that home:

each package is signed by the person who packages it. That means that if you are pulling from a random place, you can be reasonably sure its the same package because the keys verify.

As pointed out piping curl to bash is problematic. Sure you can go to a browser and check the output, but one of the more fun hacks is detecting if curl pipeing to bash server side and dynamically re-writing the script during serving.

tldr: So long as the package keys are verifiable, you can download a packge from a random mirror and be reasonably sure that it came from who it says it did.

Curl you have no hope, and its possible to infer during execution that you are piping to bash.

[gruez]

>each package is signed by the person who packages it. That means that if you are pulling from a random place, you can be reasonably sure its the same package because the keys verify.

Who's downloading packages from untrusted sources but somehow have a trusted way to get the signing key? Say you want to install claude code and not use the `curl ... | bash` install method. Good thing claude provides instructions for installing via apt[1]! But what do those instructions tell you to do? It tells you to download a key from downloads.claude.ai, then add the same domain to your apt sources list. So at the end of the day, you're still trusting that downloads.claude.ai hasn't been compromised.

[1] https://code.claude.com/docs/en/setup#install-with-linux-pac...