I’ve heard this over and over… what’s the difference security-wise between sudo running some install script and sudo installing a .deb (or whatever package format) ?
@gomp try comparing it with apt install, not with downloading a .deb file from a random website - that is obviously also very insecure. But the main thing curl|sh will never have is verifying the signature of the downloaded file - what if the server got compromised, and someone simply replaced it. You want to make sure that it comes from the actual author (you still need to trust the author, but that’s a given, since you are running their code). Even a signed tarball is better than curl|sh.
Installing a .deb is what I was thinking about.
Even a signed tarball is better than curl|sh.
If you have a pre-shared trusted signature to check against (like with your distro’s repos), yes. But… that’s obviously not the case since we are talking installing software from the developer’s website.
Whatever cryptografic signature you can get from the same potentially compromised website you get the software from would be worth as much as the usual md5/sha checksums (ie. it would only check against transmission errors).
@gomp Why would you be taking the signature from the same website? Ever heard of PGP key servers?
A deb is just a zip file that gets unpacked to where your binaries go. A shell script you curl pipe into shell could contain literally any instructions
Binary packages have scripts (IIRC for .deb they are preinst/postinst to be run before/after installation and prerm/postrm before/after removal) that are run as root.
BTW the “unzip” part is also run as root, and a binary package can typically place stuff anywhere in your system (that’s their job after all)… even if you used literal zip files they could still install a script in ways that would cause the OS to execute it.
