Comment by craftkiller
Comment by craftkiller 6 hours ago
No it isn't. Package managers verify the cryptographically signed package. That means the package can be built on a secure server, and then if a mirror becomes malicious or gets compromised, the malicious package won't have a valid signature so the package will not be installed. Running curl and piping it into sh means that not only could a malicious mirror or compromised server execute anything they want on your computer, but they could even send a different script when you curl it into sh vs when you view it any other way, making it much harder to detect[0].
[0] https://web.archive.org/web/20240213030202/https://www.idont...
I think the npm repos would like to have a word with you. Sure glad we've never had a cryptographically signed malicious package delivered via npm install