@mckinley@twtxt.net I think we (as in “the free software community”) have largely given up on that. curl foo | sh is basically equivalent to running precompiled binaries or the huge dependency mess that we have these days (simple programs pulling in 47289 libraries). We run completely untrusted code all the time and nobody cares anymore. The idea of eliminating distributions (which at least provide some layer of quality control) pops up again and again. A curl foo | sh is probably the least harmful thing these days, because it’s the easiest issue to fix.

(Meh: Rust’s curl https://sh.rustup.rs | sh downloads a 15 MB binary that does god-knows-what.)

Or am I missing the point? 🤔