this post was submitted on 13 Mar 2025
276 points (96.6% liked)
Linux
6466 readers
682 users here now
A community for everything relating to the GNU/Linux operating system
Also check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The security concerns are often overblown. The bigger problem for me is I don't know what kind of mess it's going to make or whether I can undo it. If it's a .deb or even a tarball to extract in /usr/local then I know how to uninstall.
I will still use them sometimes but for things I know and understand - e.g. rustup will put things in ~/.rustup and update the PATH in my shell profile and because I know that's what it does I'm happy to use the automation on a new system.
Damn that's bad misinformation. Its a security nightmare
So tell me: if I download and run a bash script over https, or a .deb file over https and then install it, why is the former a "security nightmare" and the latter not?
For example: A compromised host could detect whether you are downloading the script or piping it.
I'm confident that if the host is compromised I'm screwed regardless.