It's bad practice to do it, but it makes it especially easy for end users who already trust both the source and the script.

On the flip side, you can also just download the script from the site without piping it directly to bash if you want to review what it's going to do before you run it.

Installing Rust: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh (source)
Installing Homebrew: /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" (source)

I understand that you find it infuriating, but it's not something completely uncommon, even in high end projects :/

I've seen a lot of projects doing this lately. Just run this script, I made it so easy!

Please, devs, stop this. There are defined ways to distribute your apps. If it's local provide a binary, or a flatpak or exe. For docker, provide a docker image with well documented environments, ports, and volumes. I do not want arbitrary scripts that set all this up for me, I want the defined ways to do this.

Would you prefere

$ curl xyz
$ chmod +x xyz
$ ./xyz

?

I agree but hey at least you can inspect the script before running it, in contrast to every binary installer you're called to download.

You really should use some sort of package manager that has resistance against supply chain attacks. (Think Linux distros)

You probably aren't going to get yourself in trouble by downloading some binary from Github but keep in mind Github has been used for Malware in the past.

I'm with you, OP. I'll never blindly do that.

Also, to add to the reasons that's bad:

• you can put restrictions on a single executable. setuid, SELinux, apparmor, etc.
• a simple compromise of a Web app altering a hosted text file can fuck you
• it sets the tone for users making them think executing arbitrary shell commands is safe

I recoil every time I see this. Most of the time I'll inspect the shell script but often if they're doing this, the scripts are convoluted as fuck to support a ton of different *nix systems. So it ends up burning a ton of time when I could've just downloaded and verified the executable and have been done with it already.

I assume your concern is with security, so then whats the difference between running the install script from the internet and downloading a binary from the internet and running it?

I'll do it if it's hosted on Github and I can look at the code first but if it's proprietary? Heck no

You are being irrational about this.

You're absolutely correct that it is bad practice, however, 98% of people already follow bad practice out of convenience. All the points you mentioned against "DoWnlOADing a BinAary" are true, but it's simply what people do and already don't care about.

You can offer only your way of installing and people will complain about the inconvenience of it. Especially if there's another similar project that does offer the more convenient way.

The only thing you can rationally recommend is to not make the install script the "recommended" way, and recommend they download the binaries from the source code page and verify checksums. But most people won't care and use the install script anyway.

If the install script were "bloody pointless", it would not exist. Most people don't know their architecture, the script selects it for them. Most people don't know what "adding to path" means, this script does it for them. Most people don't know how to install shell completions, this script does it for them.

You massively overestimate the average competence of software developers and how much they care. Now, a project can try to educate them and lose potential users, or a project can follow user behavior. It's not entirely wrong to follow user behavior and offer the better alternatives to competent people, which this project does. It explains that it's possible and how to download the release from the Github page.

Can you actually explain what concerns you have, that wouldnt be any more of a concern if you downloaded and installed a binary directly?

At least a shell script you can read in plaintext, a binary can just do who the fuck knows what.

I'm curious, op, do you think it's bad to install tools this way in an automated fashion, such as when developing a composed docker image?

4.Since MS bought github, github is no longer trustworthy. Databreaches etc have increased since MS owns github. Distribution of malware via github as well. What is the 4 point supposed to say?

What's a good package manager right now for stuff like this if i don't want to use the distro package manager though? I want up to date versions of these tools, ideally shipped by the devs themselves, with easy removal and updates. Is there any right now? I think Homebrew is like that? But I wish it didn't need creating an entire new user and worked on a user account basis.

In an ideal world, i would want to use these tools in such a way that I can uninstall them, including any tool data (cache, config, etc), and update them in a reliable manner. Most of these tools are also hellbent on creating a new "." folder or file in the home folder ignoring the XDG spec.

I saw many cases of this with windows PowerShell and those Window debloating scripts