All good points, but there's a big difference in trusting my distro's package manager to install packages from their secure repos, verified by certificates I installed with their OS in the first place, and running a shell script from a blog post linked from a news site.
I've never heard of meteor before, and it's likely that many of the people who are reading the article haven't either.
Yes the site is HTTPS, but anyone can buy an SSL certificate for any purpose. It's not even a case of being MITM'd.
Basically we're telling people "read this blog post, run this curl command that runs some random shell script from this server you've never heard of before".
That's a very different from installing packages from your development community's package server, your OS's package repository, or an app store.
I know it's not possible to fully inspect all the code we run, but I'd rather we didn't encourage the habit of entirely disregarding it.
I've never heard of meteor before, and it's likely that many of the people who are reading the article haven't either.
Yes the site is HTTPS, but anyone can buy an SSL certificate for any purpose. It's not even a case of being MITM'd.
Basically we're telling people "read this blog post, run this curl command that runs some random shell script from this server you've never heard of before".
That's a very different from installing packages from your development community's package server, your OS's package repository, or an app store.
I know it's not possible to fully inspect all the code we run, but I'd rather we didn't encourage the habit of entirely disregarding it.