no one is talking about NPM libraries. we’re talking about released packages. you absolutely can ensure a binary hasnt been tampered with. its called checksumming.

I just took NPM as an example of code that was trusted doing shady things. And I know what checksums are and how they work. What I meant is that the developer providing you with the checksum has put in malicious code in the binary. You don’t know. (I don’t think that is very likley but it all boils down to trust.)

you’re confusing MITM attacks with supply chain attacks. MITM attacks are far easier to pull off.

No, I don’t think I am?

Yes. thats precisely the problem we’re pointing out to you.

And I am saying that it is not that big of a problem.

How do you know the script hasnt been compromised?

You don’t, same as you don’t know if the binary has been compromised, just like when a npm package deleted files for russian users. I get that running scripts from the internet without looking at them first to understand what they do is not secure, but downloading and running anything from the internet is coupled with some amount of risk. How do you know that you won’t be mining crypto currency in addition to the original purpose of the binary? You don’t unless you read the source code.

It all comes down to if you trust the provider or not. Personally, if I trust them enough to run binary files on my computer, I trust them enough to use their scripts for installation. I don’t agree that something is more unsafe just because it is a script.

package manager

Not everything is provided with a package manager, and not everything is up to update with the OS provided package manager. I agree that one should ideally use a package manager with third party validation if that is an option.

If you trust them enough to use their binary, why don’t you trust them enough to run their install scripts as well?

unredestop

I like this one.