| ▲ | mingus88 2 days ago | |
I’m not a novice user anymore either, but I care about my security and privacy. When I see a package from a repo, I have some level of trust. Same with a single binary from GitHub. When I see a curl|bash I open it up and look at it. Who knows what the heck is doing. It does not save me any time and in fact is a huge waste of time to wade through random shell scripts which follow a dozen different conventions because shell is ugly. Yes you could argue an OS package runs scripts too that are even harder to audit but those are versioned and signed and repos have maintainers and all kinds of things that some random http GET will never support. You don’t care? Cool. Doesn’t mean it’s good or safe or even convenient for me. | ||
| ▲ | troupo a day ago | parent [-] | |
Repos and maintainers etc. are just a long unauditable supply chain [1]. And everyone is encouraged to blindly trust this chain with sudo access. It's worse than that. If your distro doesn't have some package, you're encouraged to just add PPA repos and blindly trust those. Quite a few companies run their own repos as well, and adding their packages is again `sudo add repo; sudo install` Yes, it's not as egregious as just `curl | bash`, but it's not as far removed from it as you think. | ||