zlacker

[parent] [thread] 2 comments
1. polite+(OP)[view] [source] 2026-02-06 06:07:14
No, not really. This reads like ornate hand waving to distract from different threat models and situations.

A lot of safety is down to accountability. A distribution through an attributable marketplace or being verifiably signed.

Safety isn't a performative action, so reading a script may still confuse you or you may miss subtleties. But opting for a safer install mechanism makes a huge difference, which is we always ought to prefer apt, dnf, over the likes of curlbash, brew, npm.

replies(2): >>mayhem+R21 >>queenk+P63
2. mayhem+R21[view] [source] 2026-02-06 15:03:58
>>polite+(OP)
I'm Not sure that I agree that it is automatically safer to prefer apt or dnf, and I'm definitely sure that it is not safer to prefer npm.

Safety is about managing risk. One element of managing risk is evaluating trust. I'm thinking that there are much fewer people I have to trust by copying the curl | bash install method from homebrew's secure website.

But at any rate, I completely agree that piping a curl'd script directly to the shell should be considered unsafe, even if it's from a trusted source. It's quite easy to do additional checks to reduce your risk significantly for this type of attack. You could read the contents of your clipboard with a hex editor and check for non-ascii characters. But wait? How do I install the hex editor? Don't I need a hex editor to check the install method of the hex editor? AAAAH! It's turtles all the way down!!!!

3. queenk+P63[view] [source] 2026-02-07 05:39:21
>>polite+(OP)
It's nice until you need something that isn't in the distro repo. Personally i prefer a script i can easily inspect over a .deb that will also run it's own scripts (as root!) that it takes me much more effort to inspect.

I guess yeah, you are right, distro repos are safest, but there's lots of times where they aren't sufficient.

[go to top]