Might be neat. Might check it out. But devs really need to stop asking me to install things by curling a script and piping it into my shell. There are better ways to do this. Doing this leaves a massive possible attack surface.
Agree.
Not at all a security expert here, but maybe doing it inside a distrobox could be a temporary fix?
Forget it,
I just tried and it seems it gets installed in your home directory so using distrobox doesn’t change anything (apparently, but as I said I’m not an expert so feel free to correct me if I’m wrong).
However, I’ve seen they also have it available through a bunch of package managers like nix, arch and Fedora
You are right, except for one detail. Package managers almost always validate the packages using digital signatures, to avoid man-in-the-middle attacks. You don’t need to trust the network anymore. Shell scripts piped to a shell don’t have that protection. You still have to trust the developers and maintainers, though.
Might be neat. Might check it out. But devs really need to stop asking me to install things by curling a script and piping it into my shell. There are better ways to do this. Doing this leaves a massive possible attack surface.
Agree. Not at all a security expert here, but maybe doing it inside a distrobox could be a temporary fix?Forget it, I just tried and it seems it gets installed in your home directory so using distrobox doesn’t change anything (apparently, but as I said I’m not an expert so feel free to correct me if I’m wrong).
However, I’ve seen they also have it available through a bunch of package managers like nix, arch and Fedora
No matter how they package it, running a binary downloaded from Internet has the same attack surface
You are right, except for one detail. Package managers almost always validate the packages using digital signatures, to avoid man-in-the-middle attacks. You don’t need to trust the network anymore. Shell scripts piped to a shell don’t have that protection. You still have to trust the developers and maintainers, though.
Shell scripts have md5 signatures