Me: Why the heck would I want "uv". Python already has a perfectly good self hosted packaging system, why cross the streams with a compiled language
This rust library: To build, first install UV
Me:
The installer script is 1,825 lines long. This had BETTER uninstall cleanly.
Now I want to be clear I am completely ok with installing an app by running a local sh script as long as it is a program I wanted to run & I clearly understand why it needs to end-run around my package system but it is unpleasant to get "well this python script won't run without it" and it's especially weird when I'm installing a Rust program :( why can't cargo manage a uv for me. cargo manages a *clang* for me
@mcc This better be running in some kind of container.
@mcc lol you're hilarious, thinking it will
The dream of the 90's is alive in...
@mcc what could possibly go wrong.
@mcc you can download the binary off GitHub as well and just use those. The installation script is a “please do everything for me” thing but if you just want to drop it in and edit your PATH that option exists
I think the overall uv philosophy is “work on any system at almost any cost”, hence the shell script
@cybertailor do you have a specific system where it’s not working? I guess there might be issues downstream from standalone-python?
@raphael it can't support more platforms than Rust and e.g. had build failures on PowerPC at some point. It's less portable than tools written in Python by definition and thus cannot fully replace them.
@vaidas there aren’t, it’s a self-sustaining binary.
@mcc … Rust, Zig allow this. Although you can also build from source via git. Do I bother to check sigs every time
@mcc whatever that is, its developers are unserious people
@mcc IIRC, the Asahi Linux team (who definitely know what they're doing) do the same thing. Their explanation is, briefly: Going from HTTPS straight into SH means there's no chance for malicious modification unless your system is already hopelessly compromised. If you write it to disk first then there's a chance malware could add malicious instructions to it. Most people won't actually read the script, and those who do know how to adjust the install procedure accordingly.
@mcc Honestly I mostly stopped worrying about this when I realized how many package manager packages had “native components” or “post-install scripts”. If I’m installing software I plan to run, it doesn’t have to put its malfeasance in the install script.
@mcc Nice picture.
We appreciate that people put trust in curl and try really to be worthy of it. But…
curl url | sh
does *not* check the exit code of the curl run. Nor are you likely to notice error messages while the install script is happily telling you all the great things it is doing.
So the script might just end somewhere, which might be noticable or not. And your system is in what state then?
If it's malicious the clues of that are not necessarily in the script itself. They could be in additional files downloaded by that script in order to be harder to detect.