we all know what you meant. you’re just incorrect, your conflating multiple different types of attacks and asserting the one that is easiest to resolve is an equivalent problem. shrug

1. if the developer of the application is writing malware, its malware end of story. its usually discovered rapidly and people avoid it.
2. supply chain attacks are harder to achieve (i.e. uploading a tainted binary to a software repository)
3. curling a shell script is pretty much the easiest target. you have a bunch of randomly setup servers serving a program that literally intended to install software on systems. You now have a large surface area random from typo attacks, to dns poisoning etc.

many devs i’ve encountered in the wild (FANG/startups/randomly) can barely sort a list without causing problems. so now we have people hosting multiple servers they probably didn’t configure correctly. meaning instead of a few centralized repositories we need to secure we now have to trust these individual people have enough technical know how to safely host such a setup.

thats the problem with these setups. its not the developer being a bad actor we’re worried about, its the systems they’ve setup to serve these scripts. with checksums and side channels its easy to validate the resulting binary. which can effectively nips any issues with a compromised repository.

1. no one is talking about NPM libraries. we’re talking about released packages.
2. you absolutely can ensure a binary hasnt been tampered with. its called checksumming.
3. you’re confusing MITM attacks with supply chain attacks. MITM attacks are far easier to pull off.

Not everything is provided with a package manager

Yes. thats precisely the problem we’re pointing out to you. if you’re going to provide software over the internet provide a proper package with checksum validation. its not hard, stop providing bash scripts.

How do you know the script hasnt been compromised? Is every user competent enough to evaluate it to ensure its safe to run?

Using package managers to handle this provides a couple things: First: most package manager have builtin mechanisms to ensure the binary is unmodified Second: they provide a third party validating them.

Lol if you think we send in Seal team 6 for hostages of foreign countries.

LLCs are plebs. You need a corporation to not be a pleb and it needs to be registered in Delaware.

na, they’ll just say it doesn’t apply to companies because no clear pleb to pin it on.