Comment by craftkiller
Comment by craftkiller 6 hours ago
Thats like not wearing a seatbelt because you can still be crushed by a truck. Don't let perfect be the enemy of good. Package managers prevent some attacks that are possible via curl | sh. Some other attacks are still possible. It is still better than not cryptographically verifying the package.
That's like moving the goal posts so you can still try to have a point after the fact. Your comment suggested that package manager was secure while curl | sh isn't because the package manager won't have a valid signature. That's only if the package manager was compromised. A code package that is built to be malicious will still get signed by your manager. Only now, people think they are secure because it was signed.