Installation steps for Scoop itself (security considerations)

[bayotop]

Hi,

The suggested installation steps seem rather dangerous. Directly executing a PowerShell script downloaded from the internet, possibly ignoring certificate errors, is the equivalent of piping wget into shell.

When installing programs via scoop their integrity is checked, which is a good thing. I believe a similar approach should also apply for the installation as well (see https://github.com/lukesampson/scoop/blob/master/bin/install.ps1#L30 or https://github.com/lukesampson/scoop/blob/master/bin/install.ps1#L43):

$core_url = 'https://raw.github.com/lukesampson/scoop/master/lib/core.ps1'
Write-Output 'Initializing...'
Invoke-Expression (new-object net.webclient).downloadstring($core_url)
...
$zipurl = 'https://github.com/lukesampson/scoop/archive/master.zip'

Additionally, it would be nice to publish a hash of the installation script to verify it's integrity, presumably via other means than this repository.

I'm happy to hear other opinions / suggestions on this. Thanks!

[r15ch13]

These are valid concerns! 👍

Adding an integrity check for core.ps1 and install.ps1 itself are possible, but for the master.zip it's a bit more complicated. To archive this we might have to use GitHub releases.

After running scoop update for the first time it replaces the master.zip stuff with a git repo of itself. Maybe we could change the installation process so it uses git from the start.