With all the talk recently about making various forms of code safety national priorities, why in the world does any major compiler promoting built-in code safety features still think the official way to install it should be the anything but safe code delivery method curl-pipe-shell?
Follow
Even if I did trust you as much as I trust my OS package manager, I can't trust that it will always be the real you on the other end of my link to you, and it's possible for an attacker to trick curl into giving one script to less and another script to bash. https://web.archive.org/web/20240228190305/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/ Why set yourself up as a huge target like this?
