chebra

@mihor oh oh, someone drank too much russian kool-aid

@danielquinn @Tomkoid That might change very quickly after Gitlab finds a buyer.

@gomp Yes but the point is that it comes from a different place and a different time, so for you to execute a compromised program, it would have to be compromised for a prolonged time without anyone else noticing. You are protected by the crowd. In curl|sh you are not protected from this at all

@gomp You mean, as seldom available as every apt install ever? https://superuser.com/a/990153

@gomp Why would you be taking the signature from the same website? Ever heard of PGP key servers?

@gomp try comparing it with apt install, not with downloading a .deb file from a random website - that is obviously also very insecure. But the main thing curl|sh will never have is verifying the signature of the downloaded file - what if the server got compromised, and someone simply replaced it. You want to make sure that it comes from the actual author (you still need to trust the author, but that's a given, since you are running their code). Even a signed tarball is better than curl|sh.

@Sethayy cool, go ahead. But still nobody made that take, so ... you are arguing with the wind.

@Sethayy nobody made that take...

@over_clox The lack of redistribution is what's causing projects to disappear and die, vendor lock-in, walled gardens, bricked devices.. you clearly have no idea what you are talking about

@over_clox Which means it's not open-source, silly, because open-source explicitly means you can redistribute it.

@delirious_owl Oh wow, look at this guy, he just solved it all! Now we can finally put all the climate change worries behind. Thanks for saving the world.

@delirious_owl @__

If life gives you lemons, make lemonade. If you kitchen is on fire, grill sausages. If your crops are dying, eat dirt. I mean the positive attitude is nice, but it does break down a bit towards the end...