Completely agree. Furthermore, you could always just not pipe it to sh, read it first if you care so much. Releasing and maintaining packages across a range of distros is extremely hard and time consuming, and they just released the linux version.
I don't see how maintaining a 150 lines script is more convenient and less of a hassle to maintain than having a pipeline building a flatpak, an rpm, a deb and a plain tarball with binaries.
In 2024, everyone looking for a code editor knows how to extract a tar.gz right?
> In 2024, everyone looking for a code editor knows how to extract a tar.gz right?
I'll raise my hand and say I still get the `tar` terminal command options confused and have to pause and figure out the file format I'm dealing with and the options. So, no, I usually don't know, and have to look it up in the manpage/help. "Was it -xvfz for this one? Shit I just did this recently..."
It's time consuming only if author interested in good UX. If author wants to use their users as alpha-testers, then he can spent a minimal amount of time on packaging.
Given that it's open source, it's not the authors' problem to package it. You can package it for your distro, or wait for someone to do it.
It will be better because you presumably use it. Chances are that the authors don't use the same distro as you do, so they are not in a good position to make a package for you.
It's other way around. Any method of installation is insecure by default. Moreover, hackers are able to penetrate even multi-layered security defence systems sometimes (for a short period of time). What makes this 0-security system secure?
My argument is that the install method is just piping a curl command to your shell is _no less secure_ than any other typical application install procedure, and the user experience is pretty decent.
I don't think we should be generating "loud warnings" about so called "insecure install methods" nor should we fault the Zed authors for not solving software security.
The point is that when you use a distro, you trust that distro and its maintainers. If you use the package they build for you, then you rely on this trust.
Now if you use a random script from the internet, then you don't give your distro maintainers a chance to actually review the package and instead you blindly trust this script. Arguably you increase your attack surface.
Also a system package manager checks the packages (there is signatures and stuff), whereas piping a script to curl doesn't do that at all. So if the server is compromised, you just execute random code. It's harder to compromise the system package manager.
Which is not the same thing as a signature on the package, is it?
> Distro maintainers in general do not audit the code they package.
First, it depends on the distro. Second, they certainly do at least some kind of due diligence before packaging a new project. So there is some amount of selection (which you don't find in npm, cargo or pypi).
Yes, an one 0 security installation method cannot be less secure than an other 0 security installation method. Both are insecure.
However, when source code and compilation instructions are available, an independent maintainer can verify source manually, compile it in isolation, test in it in isolation, make patches, add SELinux rules, make package, then sign the package, to produce a secure package, which can be safely consumed by end users.
