I fear I'll open another can of worms, but here's a rare consideration. If I download, unzip, and then run, on-access virus scanning will hit both the archive and the executable. If I pipe from wget straight to sh, it never hits disk - and I don't know the OS internals well enough to guess whether a virus scanner can make a file handle to stdin.
And before I come off as a paranoid nut; yes I have a virus-scanner on OSX. No, I don't usually use it unless something piques my curiosity (or I'm on my employers network. Their house, their rules). But that said, I've never had my house broken into, but I still lock my door.
But for the specific examples in the article;
- Homebrew, I trust. If I'm going to trust them to patch & build every app it installs, I may as well trust their distribution mechanism.
- Dropbox, by blindly running a script from some third-party website I've never heard of? I'd rather go to dropbox.com and hit the download link.
it takes a ton of work to package and upload a binary, and if you make it malicious it's right there in the dowwnload folder.
This is more like executing the current text of a web site (whatever that is) in a totally ephemeral way. That gives total plausible deniability to anyone who would serve you a particular version based on your IP, for example.... (or anything else). You're just not keeping the evidence.
I mean, you "could". But doing things this way, you're not...
And before I come off as a paranoid nut; yes I have a virus-scanner on OSX. No, I don't usually use it unless something piques my curiosity (or I'm on my employers network. Their house, their rules). But that said, I've never had my house broken into, but I still lock my door.
But for the specific examples in the article;
- Homebrew, I trust. If I'm going to trust them to patch & build every app it installs, I may as well trust their distribution mechanism.
- Dropbox, by blindly running a script from some third-party website I've never heard of? I'd rather go to dropbox.com and hit the download link.