mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

354K
active users

Me: Why the heck would I want "uv". Python already has a perfectly good self hosted packaging system, why cross the streams with a compiled language

This rust library: To build, first install UV

Me:

mcc

The installation process involves curling a file to sh

The installer script is 1,825 lines long. This had BETTER uninstall cleanly.

Now I want to be clear I am completely ok with installing an app by running a local sh script as long as it is a program I wanted to run & I clearly understand why it needs to end-run around my package system but it is unpleasant to get "well this python script won't run without it" and it's especially weird when I'm installing a Rust program :( why can't cargo manage a uv for me. cargo manages a *clang* for me

@mcc This better be running in some kind of container.

@mcc

🎵 The dream of the 90's is alive in... 🎵

@mcc gotta curl that file

@mcc you can download the binary off GitHub as well and just use those. The installation script is a “please do everything for me” thing but if you just want to drop it in and edit your PATH that option exists

I think the overall uv philosophy is “work on any system at almost any cost”, hence the shell script

@raphael @mcc

I think the overall uv philosophy is “work on any system at almost any cost”

s/any system/only the most widely used platforms/

@cybertailor do you have a specific system where it’s not working? I guess there might be issues downstream from standalone-python?

@raphael it can't support more platforms than Rust and e.g. had build failures on PowerPC at some point. It's less portable than tools written in Python by definition and thus cannot fully replace them.

@raphael @mcc this assumes there are no dependencies to be installed.

@vaidas there aren’t, it’s a self-sustaining binary.

@mcc … Rust, Zig allow this. Although you can also build from source via git. Do I bother to check sigs every time ☹️

@mcc whatever that is, its developers are unserious people

@mcc IIRC, the Asahi Linux team (who definitely know what they're doing) do the same thing. Their explanation is, briefly: Going from HTTPS straight into SH means there's no chance for malicious modification unless your system is already hopelessly compromised. If you write it to disk first then there's a chance malware could add malicious instructions to it. Most people won't actually read the script, and those who do know how to adjust the install procedure accordingly.

@mcc Honestly I mostly stopped worrying about this when I realized how many package manager packages had “native components” or “post-install scripts”. If I’m installing software I plan to run, it doesn’t have to put its malfeasance in the install script.

@mcc Nice picture.

We appreciate that people put trust in curl and try really to be worthy of it. But…

curl url | sh

does *not* check the exit code of the curl run. Nor are you likely to notice error messages while the install script is happily telling you all the great things it is doing.

So the script might just end somewhere, which might be noticable or not. And your system is in what state then?

@icing I mean, what I always do is curl > to a file, glance over it once, and then sh. But what worries me is anything could be in there. I don't feel confident I can detect malice in sh and sometimes the install scripts are very long

If it's malicious the clues of that are not necessarily in the script itself. They could be in additional files downloaded by that script in order to be harder to detect.