Hacker News new | past | comments | ask | show | jobs | submit login

Curl it, check the sha256 of the download vs a hardcoded one and then source it if they match?

The URL you curl could be a GitHub blob URL (theoretically immutable) but if you check the hash you’re not trusting GH for anything other than availability.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact