Am I missing something? Even if you do `vet foobar-downloader.sh` instead of `curl foobar-downloader.sh | bash`, isn't your next command going to be to execute `foobar` regardless, "blindly trusting" that all the source in the `foobar` repository isn't compromised, etc?

▲

lr0 2 days ago | parent | next [-]

No it says that it will show you the script first so you can review it. What I don't get is why do you nee d a program for this, you can simple curl the script to a file, `cat` it, and review it.

▲

simonw 2 days ago | parent | next [-]

It shows you the installation script but that doesn't help you evaluate if the binary that the script installs is itself safe to run.

	▲	dotancohen 2 days ago \| parent \| next [-]
		Right, this tool does one thing - make it easy to see the script. Another tool does something else. That's kind of the UNIX Philosophy.
	▲	2 days ago \| parent \| prev [-]
		[deleted]

▲

geysersam 2 days ago | parent | prev [-]

Yes but even if you inspect the code of the installation script the program you just installed might still be compromised/malicious? It doesn't seem more likely that an attacker managed to compromise an installation script, than that they managed to compromise the released binary itself.

▲

loloquwowndueo 2 days ago | parent | prev [-]

If you’re just going to run it blindly you don’t need vet. It’s not automatic - just gives you a chance to review the script before run I h it.