Is the issue with telling people to pipe URL output into bash? Or is the issue with any distribution method that isn't flatpak or something similarly privilege-limited?
I see how flatpak is an improvement, but I don't see how piping into bash is any worse than "install this .deb file / npm package / pip package." If the package author wanted to do something malicious, it's just as easy (if not easier) to put the malicious code in the package itself rather than a bash installer for the package.
I see how flatpak is an improvement, but I don't see how piping into bash is any worse than "install this .deb file / npm package / pip package." If the package author wanted to do something malicious, it's just as easy (if not easier) to put the malicious code in the package itself rather than a bash installer for the package.