Notices by Jérôme Petazzoni (jpetazzo@hachyderm.io)

@dalias not wanting to be pedantic, but if I build a package (in a sandboxed environment), then install that package, and the postinstall script of the package backdoors my system, how am I being more secure than curl|sh?

(My stance is that curl|sh per se isn't bad; the key thing is to look at provenance: https on a well-known domain with legit-looking URL = good; anything else = beware. And same thing for any package or any artifact in any form. I'm happy to revise said stance tho!)

@puppygirlhornypost @dalias I agree with you; I'm going to try to rephrase my initial question 😅

Given that virtually all¹ package managers have some way to run arbitrary postinstall scripts (as root!); what makes a deb/rpm/AUR/... better than curl|sh?

My stance is that if I install packages from "core" repos, I'm probably good, because these maintainers usually care *a lot* and to a fantastic job (at least compared to the average dev trying to package their stuff).

But with 3rd party stuff…

Mes collègues préparent un live stream pour parler de kuik (kube-image-keeper), c'est mardi prochain (le 17!) à 17h, et ça promet d'envoyer du lourd :)

https://www.eventbrite.fr/e/billets-enix-live-show-cauchemar-dans-k8s-quand-la-registry-fait-des-siennes-721265182577

(English friends: this will be a French live stream about kube image keeper, by the very excellents Alex Buisine and Paul Laffitte!)

@thomasfuchs you're making some very good points, but I'm worried that some folks would latch to the car part of the story, which is kind of twisted. While it's true that personal cars amount to maybe 5% of GHG emissions worldwide, transport overall is like 15%, and in the US per capita transportation is one of the top emitters: