I love uv. But the post starts with a simple install using a oneliner curl piping to sh, which is such a big attack surface area… I would much rather have a much longer one liner that increases safety.
I love uv. But the post starts with a simple install using a oneliner curl piping to sh, which is such a big attack surface area… I would much rather have a much longer one liner that increases safety.
What's the difference from going to the website and downloading it, or doing it through the package manager?
Package managers or old school download from a website (gnu) provide a separate public checksum and GPG signature in multiple mirrored locations. Even if their server was compromised I can still be safe.
If you're aware of the above then you're aware of what you're doing by piping curl into bash.
In reality, nobody checks checksums of binaries they download, so piping curl into bash makes no difference.
Many people still use package managers though and these run such checks and disclose infosec events. And I still know enough other people who also look at the checksums of individual downloads when needed.
Piping curl to bash, especially a copy/paste from a random blog is way too easy to exploit. Most people might not realize if the unicode they copied from a website silently translates to a different location than what they thought they read in the screen.
It seems to be a trend in the rust community. I guess because rustup is suggested to be installed that way.
But you don't have to. Brew and other package managers hold uv in their registries.
Isn't uv like... a Rust binary? If that sh has any sense it just copies the binary and adds it to PATH.
If you look at the script, this is indeed more or less what happens. Except the folks over there are very clever about ergonomics, so the script is quite long so it can detect your architecture, OS, and even libc to give you an appropriate binary. There’s a tool that they use (which they wrote) which generates such install scripts for you
It’s really excellent stuff
but since you are curling a web URL straight to sh you will never know. which is the problem.
But it's not if you trust the url and curl has `--proto '=https' --tlsv1.2` as args
What about running a downloaded binary installer? What if the URL is HTTPS?