>curl -LsSf https://astral.sh/uv/install.sh | sh
Don't do this shit, especially if you were told to do this shit.
If you are going to do this shit, separate the commands, read the bash script (and roll it down, if another file is downloaded, download that manually and inspect it).
If you are going to ask people to do this shit, split the command into two. Someone that asks me to do something insecure is either a malicious actor that is trying to compromise me, or someone careless enough to be compromised themselves.
I don't care what uv is, I can pip install stuff thank you. I install 2 or 3 things tops. I don't install 500 packages, that's sounds like a security nightmare.
Change your ways or get pwned people. Don't go the way of node/npm
p.s: Stop getting cute with your TLDs, use a .com or the TLD from your country, using gimmick TLDs is opaque and adds an unnecessary vector, in this case on the politics of the British Overseas Territory of Saint Helena, Ascension, and Tristan da Cunha.
Nobody actually inspects binaries anyway, what's the difference?
Why bother with python and open source then? Presumably every package you install with pip/uv would be source available and you could build them.
The idea behind most package managers including apt and pip is that they help you build the software and try to make it easier for you without actually downloading and trusting binaries.
>Why bother with python and open source then?
Because you can easily make changes to the software, not because it's way less likely to be backdoored.
>The idea behind most package managers including apt and pip is that they help you build the software and try to make it easier for you without actually downloading and trusting binaries.
I'm so deeply confused
>I'm so deeply confused
I can tell