But linux [1] has absolutely zero security measures, and this has basically free reign over your computer to send off your .ssh folder, your browser cache, to install a permanent keylogger, etc.

[1] Standard “GNU”/linux desktops

True, but where's the difference between downloading a binary and executing it vs. downloading a script and executing that which will then download a binary and execute it?

In both cases, you trust the publisher and in both cases the publisher gets equal access to your machine.

Oh - you mean you're downloading the source code, then audit it, then compile it and only then you run it?

That's super great. That has saved you from the xz backdoor and all other supply chain attacks and will be of great help to you in the future. Let's hope no backdoor ever slips past your code review.

> where's the difference between downloading a binary and executing it vs. downloading a script and executing

The difference is that the attack vector of the shell script is an easier target.

If someone was to be malicious; they could manipulate the script and inject some sort of payload in disguise. It's an easier vector to damage than say an compiled package. One that's less prone to being detected in that the script could go for days undetected.

With the executable you can compare the checksum and with the whole package compiled it is less prone and more tricky to alter.

Unless that script is under monitoring 24/7, I'm going for binary but they don't support BSD anyway.

If I were to serve a targeted exploit like this, I would certainly hide it in the binary and have the binary determine whether it's running in the targeted environment and then run the payload.

It's much, much easier to hide a malicious payload in a binary than an easily auditable shell-script. And it's much easier to make a decision of whether the payload should be enabled or not if you are already running on the local machine.

If you don't trust a publisher, you really can't run anything of theirs. Shell script or, especially, binary.

Well, it can actually check if it’s being downloaded from the browser or from the shell (user-agent), so unless you are downloading it and running the downloaded script, it might still spoof what will get executed. Also, it can itself download other scripts.

See, I wouldn't. I would go for the script to either inject the payload to the package or inject to the host.

Even if it's auditable, how many people are actually verifying the shell script before hand?

You've just been given a command to download and execute.

And the potential of having lots of users downloading a shell script has a quicker attack path than users downloading the package. You have custom repos, holding their own distro packages for the software.

The difference is that i prefer flatpak (:

Obviously most distributions provide package managers that should be used for unified automated update mechanisms and gpg signing. Superior to curl | sh in every way.

It's not uncommon that the curl | sh method actually, among other things, detect what distro you're running and add the repos before installing via the package manager, so in the end it depends on what the script actually does. Atuin does it well for example: https://docs.atuin.sh/guide/installation/ -- and offers other options (as you should).

We're actually not going to be doing that for much longer. Lots of users kept querying how it was installed, where, how to remove it, etc.

The response of "it depends, we probably used your system package manager" was not often well received. Users who know how to use their package manager tended to just do that anyway, and not use the script.

I don't really understand the decision to completely stop doing it. If the script has logic to do A,B,C in different cases, why not just implement an --uninstall flag that does the opposite of A,B,C? Then users don't need to know or care what "type" of installation was done.

Of the three distros I know to more detailed extents, Debian, Arch and RedHat, none of those make it easy to install and keep updated a third-party package through the built-in package manager.

In all cases, signatures and repositories need to be configured, often requiring both root access and usage of the CLI and in all cases much harder than running an installer script (which might be doing exactly these steps).

To achieve easy means of installing using distro package managers means including the application in the distro itself, but now it's beholden to the distro's software update policies and thus stuck on that specific version for years or even decades.

That is not what a v0.something of an end-user centric desktop application wants for themselves.

Very different levels of trust though. And different levels of effort for malware (burning zero-days is expensive).

Also, cleaner uninstalls. If the software only has access to specific directories, I can be reasonably optimistic that removal will be clean.

Furthermore, it is much more convenient. E.g., I can just winget install vscode instead of having to google download links.

> Versus what?

Can Linux have something like the Mac App Store where apps don't have access to the whole system by default?

There's flatpak, which is cross-distro, sandboxed, and is installed by default on most distros. It uses xdg-desktop-portals to request access to files through a desktop-provided file picker.

Sadly code editors aren't really suitable for flatpaks, since they usually require access to dependencies installed on the host. This can be worked around by using dev containers, vor the IDE has to ne developed with sandboxing in Kind (like GNOME Builder).