Complaints against curl <https-url> | sh in favor of downloading a pkg are the equivalent of requiring shoes off at TSA. Security theater.
-
-
@wycats@knowtheory that was my point, really. Not directly piping it allows you to take a look at the installer. Otherwise, signed repos. -
@nvll@knowtheory the | sh pattern is what makes verification so simple; maligning it is misguided. -
@wycats@knowtheory Perhaps I'm misunderstanding you? How does blindly executing code curl grabbed make verification easier? -
@nvll@knowtheory vs. downloading a pkg and running it, where the script being run is hidden from sight. -
@wycats@knowtheory The sh pattern is the same as unsigned, but remove the | sh you can do some verification if it's not a binary format. -
@nvll@knowtheory it's the same as unsigned over HTTPS, yes, with a very simple verification step if you want it.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.