Might be neat. Might check it out. But devs really need to stop asking me to install things by curling a script and piping it into my shell. There are better ways to do this. Doing this leaves a massive possible attack surface.
You are right, except for one detail. Package managers almost always validate the packages using digital signatures, to avoid man-in-the-middle attacks. You don’t need to trust the network anymore. Shell scripts piped to a shell don’t have that protection. You still have to trust the developers and maintainers, though.
Agree.
Not at all a security expert here, but maybe doing it inside a distrobox could be a temporary fix?
Forget it,
I just tried and it seems it gets installed in your home directory so using distrobox doesn’t change anything (apparently, but as I said I’m not an expert so feel free to correct me if I’m wrong).
However, I’ve seen they also have it available through a bunch of package managers like nix, arch and Fedora
Might be neat. Might check it out. But devs really need to stop asking me to install things by curling a script and piping it into my shell. There are better ways to do this. Doing this leaves a massive possible attack surface.
No matter how they package it, running a binary downloaded from Internet has the same attack surface
You are right, except for one detail. Package managers almost always validate the packages using digital signatures, to avoid man-in-the-middle attacks. You don’t need to trust the network anymore. Shell scripts piped to a shell don’t have that protection. You still have to trust the developers and maintainers, though.
Agree. Not at all a security expert here, but maybe doing it inside a distrobox could be a temporary fix?Forget it, I just tried and it seems it gets installed in your home directory so using distrobox doesn’t change anything (apparently, but as I said I’m not an expert so feel free to correct me if I’m wrong).
However, I’ve seen they also have it available through a bunch of package managers like nix, arch and Fedora