↳ In-reply-to » I can't believe software developers are still trying to get people to do curl | sh. It's easy to miss the problem if you're still in the mindset of Windows software distribution, but these people are writing software on GNU/Linux, for GNU/Linux. You would think they'd realize that this is never a good idea.

@mckinley@twtxt.net I think we (as in “the free software community”) have largely given up on that. curl foo | sh is basically equivalent to running precompiled binaries or the huge dependency mess that we have these days (simple programs pulling in 47289 libraries). We run completely untrusted code all the time and nobody cares anymore. The idea of eliminating distributions (which at least provide some layer of quality control) pops up again and again. A curl foo | sh is probably the least harmful thing these days, because it’s the easiest issue to fix.

(Meh: Rust’s curl https://sh.rustup.rs | sh downloads a 15 MB binary that does god-knows-what.)

Or am I missing the point? 🤔