top | item 32445291

(no title)

aspaceman | 3 years ago

It could, but I can trust that no individual stepped in the middle of that process.

I trust Rust to not put such a thing in their binary. I do not trust an arbitrary man in the middle, and it's trivial to modify a shell script.

Without a checksum, I can't ensure the binary im piping through the shell is the binary they posted and built. Anyone can step in, modify a few lines, and get access to a large part of my system. The barrier to entry to add such capability to arbitrary binaries is outrageously high.

discuss

yunohn|3 years ago

Install scripts are usually hosted on GitHub/etc and changes are clearly tracked. Compiled binaries are untracked and do not offer the same guarantees. I would trust the script more than a binary that could’ve been modified anywhere along the build process.

Not everyone uses Linux, and not every package can be audited by repo devs. It’s simply not scalable.