← Back to context

Comment by jimmar

4 hours ago

From the home page:

> Stop trusting blindly

> One-line installer scripts,

Here are the manual install instructions from the "Install / Build page:

> curl -L https://aur.archlinux.org/cgit/aur.git/snapshot/jai.tar.gz | tar xzf -

> cd jai

> makepkg -i

So, trust their jai tool, but not _other_ installer scripts?

2 comments

jimmar

Reply
mazieres  23 minutes ago

Yes, unpacking a tar file is much safer than piping arbitrary code to bash! You can look at the PKGFILE in the directory--it is only 30 lines long and mostly variable assignments. The build/check/package functions are 7 lines of code total. Compare that to something like rustup (910 lines of code), claude (158 lines), or opencode (460 lines).

da_chicken  4 hours ago

No, no, see this is untrustworthy:

  curl -L https://aur.archlinux.org/cgit/aur.git/snapshot/jai.tar.gz | tar xzf - && cd jai && makepkg -i