← Back to context

Comment by uecker

6 days ago

I think it has a lot to do with "curl|bash". Cut&paste a curl|bash command-line disables all inherent mechanisms and stumbling blocks that would ensure properly ensuring trust. It was basically invented to make it easy to install software by circumventing all protection a Linux distribution would traditionally provide. It also eliminates all possibility for independent verification about what was installed or done on the machine.

6 comments

uecker

Reply
IshKebab  6 days ago

Downloading and installing a `.deb` or `.rpm` is going to be no more secure. They can run arbitrary scripts too.

  • uecker  6 days ago

    Downloading a deb via a package manager is more secure. Downloading a deb, comparing the hash (or at least noting down the hash) would also already be more secure.

    But yes, that the run arbitrary scripts is also a known issue, but this is not the main point as most code you download will be run at some point (and ideally this needs sandboxing of applications to fix).

    • IshKebab  6 days ago

      > Downloading a deb via a package manager is more secure.

      Not what I meant. Getting software into 5 different distros and waiting years for it to be available to users is not really viable for most software authors.

      2 replies →