Between you and me, are a bunch of other hops. Blindly trusting dependencies is ...

stouset · 2025-12-09T18:16:19 1765304179

    $ curl ${flags} https://site.io/install.sh | sh

    $ curl ${flags} https://site.io/tool > ./tool
    $ chmod u+x ./tool
    $ ./tool

Both of these are effectively the same damn thing but everyone loses their minds over the first one.

Also, a lot of those install scripts do check signatures of the binaries they host. And if you’re concerned that someone could have owned the webserver it’s hosted on, then they can just as easily replace the public key used for verification in the written instructions on the website.

shakna · 2025-12-09T19:24:32 1765308272

I'm not advocating for either of those.

    pacman -Sy {tool}
    pkg_add {tool}
    apt install {tool}

Even the AUR does a lot more to make you secure, than a straight curl - even though throwing things up there is easy.

saagarjha · 2025-12-08T04:40:36 1765168836

What’s your alternative?

shakna · 2025-12-08T06:34:52 1765175692

A mirrored package manager, where signature and executable are always grabbed from different sources.

Like apt, dnf, and others.

saagarjha · 2025-12-08T08:36:15 1765182975

Pretty sure my apt sources have the signing and package pointing to the same place

shakna · 2025-12-08T08:50:39 1765183839

If you have more than a single source, then apt will already be checking this for you.

The default is more than a single source.

saagarjha · 2025-12-08T10:21:31 1765189291

All of mine point to like somethingsomething.ubuntu.com

shakna · 2025-12-08T11:29:47 1765193387

If it points to mirror.ubuntu.com, it'll be mirroring at host end, instead of inside apt. But as apt does do resolution to a list, it'll be fetching from multiple places at once.