this post was submitted on 09 Jul 2025
29 points (91.4% liked)

Linux

8409 readers
394 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of [email protected] and The GIMP

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
29
Why no central script repository? (lemmy.curiana.net)
submitted 3 days ago* (last edited 3 days ago) by [email protected] to c/[email protected]
39 comments fedilink hide all child comments
 

We all know how common terminal one liners have became as a installation method on GNU/Linux and what are the issues with it but let's recap quickly.

You go to a pager of some project and it tells you to do curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs/ | sh or curl -fsSL https://deno.land/install.sh | sh. The only way to verify that this command will not delete all your files or install malware is to manually review the entire script.

So... why not create a secure script repository? On a central website you would create an account for a project and submit a script. On the other side we would provide a binary client that will download and execute the script (we can call it grunt from get and run it). So as a user you would run for example grunt rustup and it would get and execute the script created by rustup project. I imagine it shouldn't be that difficult to add a tiny package to the major distros.

I believe this would be a fairly simple project that would solve all the security issues typical terminal one liners have.

On the website for uploading scripts we could introduce:

  • multi user approval flow for script updates
  • 2FA
  • static checks of the scripts
  • reporting system for compromised scripts
  • verified project status

On the client side we could:

  • provide info about this script's security (how many people reviewed it, when was it last updated, is the project verified)
  • provide info about downloads (how many time was this script downloaded since the last update)
  • do additional checks (maybe the project could provide MD5 of the script on their servers and grunt could verify it?)

So it would look something like this:

# grunt rustp

Downloading rustp.sh from https://getandrun.it/...
Last updated 30 days ago.
Downloads since last update: 5
Verified project: No
Reviewed by 1 user

Execute script [y/N]

Clearly something is wrong...

# grunt rustup

Downloading rustup.sh from https://getandrun.it/...
Last updated 60 days ago.
Downloads since last update: 5342
Verified project: Yes
Reviewed by 3 users
Comparing MD5 checksum with https://rustup.rs/grunt_md5... Passed 

Execute script [y/N]

That's better!

Right? So why don't we have something like this? Or we do and it simply didn't get enough traction?

========

So just to address some of the comments. No, it's not a package manager. Package managers are complex tools that handle versioning, dependencies, updates, uninstalls and so on. Package mangers are also distro specific. A lot of devs decide not to use package managers and use bash scripts that are distro agnostic and don't rely on external maintainers and packagers. It would be ideal if everyone used secure package managers but the reality is they don't. This solution is a compromise that offers devs full control of software distribution while introducing decent security.

=======

Someone suggested brew. How do you install brew according to https://brew.sh/ ?

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

See the problem?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 3 days ago

You should still inspect the PKGBUILD.