*I’m* always a bit shocked how seriously people take concerns over the install s...

shakna · 2025-12-08T00:01:45 1765152105

Between you and me, are a bunch of other hops. Blindly trusting dependencies is one part of why npm is burning down at the moment.

Why trust un-signatured files hosted on a single source of truth? It isn't the 90s anymore.

stouset · 2025-12-09T18:16:19 1765304179

    $ curl ${flags} https://site.io/install.sh | sh

    $ curl ${flags} https://site.io/tool > ./tool
    $ chmod u+x ./tool
    $ ./tool

Both of these are effectively the same damn thing but everyone loses their minds over the first one.

Also, a lot of those install scripts do check signatures of the binaries they host. And if you’re concerned that someone could have owned the webserver it’s hosted on, then they can just as easily replace the public key used for verification in the written instructions on the website.

shakna · 2025-12-09T19:24:32 1765308272

I'm not advocating for either of those.

    pacman -Sy {tool}
    pkg_add {tool}
    apt install {tool}

Even the AUR does a lot more to make you secure, than a straight curl - even though throwing things up there is easy.

saagarjha · 2025-12-08T04:40:36 1765168836

What’s your alternative?

shakna · 2025-12-08T06:34:52 1765175692

A mirrored package manager, where signature and executable are always grabbed from different sources.

Like apt, dnf, and others.

saagarjha · 2025-12-08T08:36:15 1765182975

Pretty sure my apt sources have the signing and package pointing to the same place

shakna · 2025-12-08T08:50:39 1765183839

If you have more than a single source, then apt will already be checking this for you.

The default is more than a single source.

saagarjha · 2025-12-08T10:21:31 1765189291

All of mine point to like somethingsomething.ubuntu.com

shakna · 2025-12-08T11:29:47 1765193387

If it points to mirror.ubuntu.com, it'll be mirroring at host end, instead of inside apt. But as apt does do resolution to a list, it'll be fetching from multiple places at once.

romaniitedomum · 2025-12-07T21:22:19 1765142539

> I’m always a bit shocked how seriously people take concerns over the install script for a binary executable they’re already intending to trust.

The issue is provenance. Where is the script getting the binary from? Who built that binary? How do we know that binary wasn't tampered with? I'll lay odds the install script isn't doing any kind of GPG/PGP signature check. It's probably not even doing a checksum check.

I'm prepared to trust an executable built by certain organisations and persons, provided I can trace a chain of trust from what I get back to them.