Now some may say: "but I could download the shell script beforehand as well and analyze it!"
That usually works, but it is actually possible to deliver a different script depending on if it's downloaded or piped: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
@lenzgr aye, you shouldn't use bash
@lenzgr if I don't trust your script, why would I trust your rpms or debs either? They also run as root.
To me the far more compelling reason for distributing packages of some kind is that I want to know what version I'm getting, otherwise I have no idea what's installed except that its the latest available whenever I last ran the script.
@lenzgr if I want the same software on prod as on staging, or on all members of a cluster, or I want to test a bug fix against a config from 3 weeks ago, this ahistorical garbage is useless
@telent RPMs come with checksums and signatures built-in, so I have a better chance of verifying that they haven't been tampered with. I also can download them and verify/inspect them before installing. And yes, they are versioned.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!