[SwellJoe]

I don't believe it is "completely wrong", and I discussed the reason you should prefer signed packages from your OS vendor, though that wasn't my focus.

If you install packages from a third party, and if they are signed, you are generally getting the signing key from the same location. i.e. when the rust developers build packages (as has been suggested will be the solution to this problem), you'll also need to install their signing key. Presumably from the same webserver that is serving you the script that is being judged insecure in this thread.

"Except you can't authenticate the script with curl+pipe, so if someone compromised the server or the communication link it's game over."

s/package and signing key/script with curl+pipe/

The two are not dramatically different if an attacker has taken over the website in question, or if the build/distribution infrastructure has otherwise been compromised, and that was my point.

You could do an sha checksum of the script, and you could obtain the package signing key by meeting up with the developer in person and checking their ID, and you could download the sources, check them thoroughly, and build your own packages, etc., etc. Very few people do that.

There are levels of risk at every stage. It is a difficult problem to distribute software in a safe fashion.

All of that said: I install everything from a package. If it is not from the OS standard repository, I download the source package and build it myself (sometimes checking the source tarball for anomalies and checking the patches to be sure nothing is obviously amiss). I do not enable third party repositories unless I trust them a lot. If no package is available, I make one, and sign it with my own key. If I can't make one, I don't use the software in a deployment (the cost of maintaining a piece of software built from source is way too high).

I was not suggesting the curl+pipe is a good practice. Merely that we live in a world full of compromises. And, insuring you are getting what you think you're getting, and that the person who packaged it had no malicious intent, is a lot harder than merely installing from a package (particularly a package from a source that doesn't have stringent identity requirements...Debian and Fedora packages have a pretty clear ownership trail...most third party packages do not).

[foobarqux]

Signing keys can easily be distributed out of channel and also verified through a chain of trust. Even if you got a forged key you could, at minimum, detect post-facto that the key was fake.

Moreover, there are things you can build on top of signed packages (distributed consensus of signatures and keys) that can't be built on top of curl+pipe.

curl+pipe is mental.

[SwellJoe]

You're right, and I agree with you. Packages that are signed by a trusted party are a reasonable choice; anything less is not reasonable.

But, lots of people add third party software repositories without out-of-channel confirmation of signing keys, and without any awareness of the risks involved in that. I see it more than most (I support server-side software products with a million or so installations), and I'm amazed at how often third party repos are enabled on people's systems, seemingly without any reason other than "more software is better". They often don't even know why/when they enabled those other repos or who operates them.

That's no different than this curl+pipe scenario.

[foobarqux]

Yeah third party repos are pretty unreasonable. The problem is that software development now moves pretty fast and package maintainers can't or don't want to keep up. That, coupled with the fact that building packages is far too difficult for most distros incentivizes people to take risks that they shouldn't be taking.

Systems need to be safe by default and they should largely service the needs of users. Distros are no longer doing that.

[unfamiliar]

>They often don't even know why/when they enabled those other repos or who operates them.

Most likely because they either blindly followed instructions from a website or blindly ran an install script from a website, giving it root access. In which case it is basically equivalent to curl + pipe.