pull down to refresh

Good post.
Websites which provide install instructions as curl <url> | bash are also very guilty of this.
I don't see how this is any different from installing any other program on your computer. Most people using Windows just type in their admin password when installing stuff. And the people on Linux installing something with terminal instructions are basically the same thing.
reply
I see your point but I also see a difference between running random code and being suspectible to the issues mentioned in the article vs running code which is more or less guaranteed that it does what you want:
A package manager is a common and welcome sight in the world of Linux-based operating systems. When installing software using a package manager we have a guarantee that all (or most) of the files used by the program will be tracked and accounted for and removed when uninstalling it. The same is true for various dependencies and the package manager also provides us with many other security measures such as ensuring that files belonging to an already installed program will not be overwritten by accident during the installation process. When executing an unknown script we don't know what is going to happen - we will not be able to easily find out what files were installed. This problem is mostly related to a simple necessity of keeping track of various entries in your file system. Imagine the chaos arising if every program was installed manually without the help a package manager. This also exposes you to unpached security issues as the installed program will not be automatically updated.
(also from the mentioned article)
Things not mentioned are for example checksums which are also checked automatically by package managers.
reply
In fact it goes further than that - pretty much every Linux package manager will refuse to even load packages from a repo unless the repo's PGP key matches up with the public key on your local system. You cannot add a new repo without adding the PGP key. If a malicious actor hacked the repo, they could not push out packages without also obtaining access to the private PGP key of the repo owner.
Windows users may be used to installing random executables, but Windows systems also tend to have a lot of malware. Linux has many extra layers of security vs Windows, which doesn't even have a package manager unless you install a third party one - same is true of macOS as well, if we're being fair.
Point is, when discussing Linux security, saying "but piping random scripts direct to bash with sudo is as secure as Windows" is basically the computing equivalent of "better love story than Twilight."
reply
Great addition, thanks.
Really interested to see if this changed @zuspotirko's mind
reply
Do people frequently install executables from Twitter posts?
reply
There is no difference if it's a Tweet or a Github ReadMe or a recommendation from a friend: if you don't know what you are installing you don't know what you're installing no matter the source
reply