OK, this whole curl -fsSL my.self.hosted.rando.dangerous.url.xyz |
bash way to distribute compiled binaries that the Rust and Golang
communities are doing is not OK. Sober up and don’t curl rando stuff
into your shell and don’t run rando binaries either. You didn’t build
that!
Debian signs their compiled packages for a reason.
Seeing this practice being so widespread has the knock-on-effect
(yeah, it’s not technically related) of making me hesitant to even
do cargo install blablabla when any schmoe can do cargo publish
and tell you to go cargo install. It’s better than the curl into bash
borkery because if they do publish malware to crates.io, it can be
vetted later. When times comes to do a biopsy of your system.
They can publish a new version that messes up your stuff at a moments notice but at least there will be a record of them doing that. So you can look down on your dead machine from heaven and see “oh, so that’s when it all went wrong.”
Unlike the curl something something | bash which… don’t do. And stop
asking people to do that. You are creating bad habits.
A Unix filter to verify md5sums is a pretty awesome idea.