Include hash verification in 'pipe from internet' install
sandstrom opened this issue · 2 comments
Your recommended install is one forgotten domain renewal from being replaced with a "your computed is owned" script.
curl -sSL https://install.python-poetry.org | python3 -People will copy-paste this into dev machine startup scripts, CI setup scripts, etc. If you servers are compromised 1 or 3 years later, no one will know.
But with something like this example below, it would require a manual update of the hash (which would prompt some percentage of people to look for actual changes in the script).
curl -o filename url && shasum -ba256 -c <(echo "PRECOMPUTEDHASH filename") && sh filenameReferences
This is very much by design; the suggested way for anyone who is not comfortable doing a curl-to-a-pipe install is to clone this repository, or simply not use this script. This script is provided as a convenience; as much as none of us are fans of curl | interpreter, ultimately enough users expect it that we cannot avoid providing it.
This project does not want to deal with the massive support burden of cached versions of the documentation including a stale hash, overlooking locations where a hash needs to be provided, or supporting the array of different hashing commands available across every operating system/distro.
I don't agree, but thanks for taking time answering!
Poetry is an awesome project! 🏅