Hacker News new | past | comments | ask | show | jobs | submit login

But `curl | sh` is no less secure. Download this file and execute it. Functionally the same outcome. Tell me how doing that is materially different than `apt get`. Both employ signing and checksums (just with different PKI). One delegates trust to a package maintainer while the other trusts the author directly. I truly don’t understand the paranoia and consider it tinfoil hat security theater.



the package maintainer has to go through a web of trust in their FOSS ecosystem to be allowed to distribute their packages.

A github author just has to put up a repo and hope that their fanbase aren't too versed in the language




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: