I only discovered this recently, and it’s very handy.
Piping scripts directly to bash is a security risk. You can always download the scripts, inspect them and run locally if you so choose.
I only discovered this recently, and it’s very handy.
Piping scripts directly to bash is a security risk. You can always download the scripts, inspect them and run locally if you so choose.
Sure, but my point is that it’s no different to an AUR/user repo. At some point you’re just trusting someone else.
I think the whole “Don’t put bash scripts into a terminal” is too broad. It’s the same risk factor as any blind trust in ANY repository. If you trust the repo then what does it matter if you install the program via repo or bash script. It’s the same. In this specific case though, I trust the repo pretty well. I’ve read well more than half of the lines of code I actually run. When tteck was running it… he was very very sensitive about what was added and I had 100% faith in it. Since the community took it over after his death it seems like we’re still pretty well off… but it’s been growing much faster than I can keep up with.
But none of these issues are any different than installing from AUR.
The rule should just be “don’t run shit from untrusted sources” which could include AUR/repo sources.