Complaints against curl <https-url> | sh in favor of downloading a pkg are the equivalent of requiring shoes off at TSA. Security theater.
-
-
Replying to @wycats
@wycats@knowtheory installing unknown software is harmful. It's the direct pipe to sh without any verification that is the problem here1 reply 0 retweets 0 likes -
Replying to @nvll
@nvll@knowtheory and that is precisely as insecure as any other software you ever install.1 reply 0 retweets 1 like -
Replying to @wycats
@wycats@knowtheory that was my point, really. Not directly piping it allows you to take a look at the installer. Otherwise, signed repos.2 replies 0 retweets 0 likes -
Replying to @nvll
@nvll@knowtheory the | sh pattern is what makes verification so simple; maligning it is misguided.1 reply 0 retweets 0 likes -
Replying to @wycats
@wycats@knowtheory Perhaps I'm misunderstanding you? How does blindly executing code curl grabbed make verification easier?1 reply 0 retweets 0 likes -
Replying to @nvll
@nvll@knowtheory vs. downloading a pkg and running it, where the script being run is hidden from sight.1 reply 0 retweets 0 likes -
Replying to @wycats
@wycats@knowtheory The sh pattern is the same as unsigned, but remove the | sh you can do some verification if it's not a binary format.2 replies 0 retweets 0 likes
@nvll @knowtheory it's the same as unsigned over HTTPS, yes, with a very simple verification step if you want it.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.