top | item 46988140

(no title)

ajnin | 17 days ago

> I was tempted to try it until I saw the curl | bash pipe, then no

I don't quite get that argument. It's the same as the old download installer from random website, double click to run that people have been doing for decades. It only skips the download step. And it's arguably better since at least you can review the contents. When building a Go program it will also happily download stuff from github but I've seen way less complaints about that. And to be fair it's also been an infection vector, from people installing things from shady places (or reputable places but with ill-intent like installing unwanted browser toolbars, DRM rootkits ...), but it's nothing new. Same advice applies, know what you're doing, use reputable sources.

What's a better alternative ?

discuss

badhorseman|17 days ago

I don't think the go module system is great but I am not sure if any programming gets it right and all suffer from many issues, but go has the go.mod and it is easy to see what dependencies are being used both direct and indirect and the user can filter and look though these packages and pin them until they have eyeballed updates to the git repo. I don't feel the most comfortable with it but the whole `curl | sh` is so terrible, no signing no, way of knowing about the integrity of the installer.

> What's a better alternative ?

I do not think the program really needs and installer but if one must then why not just have it under source control that way you get the benefits of git handling all the download bits and the install script being completely offline and just using cp or install commands.

you could tell the user to do this with a pithy command like `git --depth=1 clone $GITSITE/$REPO && $REPO/installer.sh && rm -R $REPO`

ryandrake|17 days ago

My big problem with it is uninstallation. If I ever want to remove the program, I have to 1. Hope that the author published an uninstall.sh, or 2. examine the install.sh to see where it spams all its files to and remove them manually. This seems like a major step backwards from package managers.

yarn_|16 days ago

This is the only reasonable argument I've heard, but in reality I don't find uninstallers do their job anyway, i seldom have an uninstaller that doesn't leave empty folders behind, config files, user files...

nusl|17 days ago

You're blind-trusting someone to run stuff in the context of your terminal. Sure, it's similar to an installer but the author of the script can also manipulate the script at any time.

One day you run it, it's fine. The next day you run the same command on your machine, it installs malware. No way to tell without inspecting the script every time.

If you download an installer and it's fine, then you can run it again and it's still fine.

dr-detroit|17 days ago

[deleted]