This is no different from installing a random package through a package manager. If you're running "curl pipe sh" because an email told you to, that's on you.
No it isn't. Package managers verify the cryptographically signed package. That means the package can be built on a secure server, and then if a mirror becomes malicious or gets compromised, the malicious package won't have a valid signature so the package will not be installed. Running curl and piping it into sh means that not only could a malicious mirror or compromised server execute anything they want on your computer, but they could even send a different script when you curl it into sh vs when you view it any other way, making it much harder to detect[0].
I think the npm repos would like to have a word with you. Sure glad we've never had a cryptographically signed malicious package delivered via npm install
Thats like not wearing a seatbelt because you can still be crushed by a truck. Don't let perfect be the enemy of good. Package managers prevent some attacks that are possible via curl | sh. Some other attacks are still possible. It is still better than not cryptographically verifying the package.
That's like moving the goal posts so you can still try to have a point after the fact. Your comment suggested that package manager was secure while curl | sh isn't because the package manager won't have a valid signature. That's only if the package manager was compromised. A code package that is built to be malicious will still get signed by your manager. Only now, people think they are secure because it was signed.
> This is no different from installing a random package through a package manager
I replied "No it isn't" in response to that, so I was claiming that a package manager was different (in terms of security) from doing curl | sh.
My comment then went on to explain specific attacks (a mirror being compromised) which are solved by package managers / cryptographic signatures.
At no point did I ever claim package managers were immune to all attacks. A compromised build server, leaked keys, or the upstream program thats being packaged being malicious are all still possible.
Its very simple, my Arch Linux install is pointed at the MIT mirrors. What is stopping the Massachusetts Institute of Technology from replacing my next firefox update with a virus? Cryptographic signatures. They don't have an Arch Linux signing key. What would be stopping them if I installed firefox by doing curl | sh? Nothing.
The tremendous number of attacks delivered via trusted package repos versus the number of widespread attacks via curl | sh (probably roughly zero) means that, theories aside, one of these is far more commonly abused than the other.
Both are examples of developer-types doing risky things, which was my point and also supports my point that developers are not exclusively better secured than non-developer types.
