YAb0It's depressing how many popular packages getting started guides include piping curl output directly to a shell.
That's the quickest way I lose trust in a package. #InsecureByDesign
Henrik Kramselund -- kramse@YAb0 many have started using signed scripts though
So comparable security to the packages in a package system
@kramselund - had not seen that. Got any examples handy?
@kramselund - So basically "Install GPG and trust our script checks its own integrity"?
I understand how we got here, but truly do not like it.
@YAb0 and hopefully the GPG key is signed by others and live some years at least