This is a call for help. I believe Linux uptake is increasing, and with that, this trend of sharing installation scripts via curl into bash is becoming more common as shown below:
I used to do this in my tutorials and was "told off" by the internet by people I respect, because of the insecurities. Essentially anything could be pumping into your bash terminal. I wanted to address this so that people could still share BASH setup scripts easily, but user's could be sure that the version they are downloading and running on their machine, is exactly the version that the user who posted the script intended.
This is why I created prog-exec (explanation below), but I'm pretty sure I'm the only person using it, which makes it pointless.
I am not asking for everyone to "spread the word" for everyone to use my tool. This is a band-aid on a wound and could be greatly improved, and I don't want all of the internet hitting my little VPS and being the single-point-of-failure for people.
What I would like to do is the following:
- This idea becomes a community driven tool under the Level1tech name to give it some "credit" more than my "programster" brand which is almost non-existent (I only get roughly 15k hits per month on my blog).
- I transfer the code for prog-exec and scripts.programster.org under an open source license to an official level1tech github area, organization.
- rename the tools as part of the rebrand (e.g. no longer called "prog-exec").
- Preferably we move the hosting to a level1tech server that is happy to take a heavier load.
- We publish packages (deb/rpm/etc) to make installation of the client tool (currently the prog-exec BASH script) to make it much easier for users to install and give it more trust.
- We add other features, like authors with PGP keys that sign the scripts. This way users can add public PGP keys of authors they trust and only their scripts execute (similar to how PPAs work)
- If it becomes big enough, we look into changing the architecture to become more distributed, so anyone can deploy a scripts server which acts like online key servers, and scripts spread across the net, thus if one script server falls over, the client looks for another.
Why Not Just Use PPAs and Packages?
One could argue this is what signed packages and PPAs are for, but have you created and published a package recently? Its a pain in the butt and this makes it so much easier for people to share scripts. If sharing packages was as easy, people wouldn't be sharing scripts via curl commands. This is basically a step before a package, and should work cross-distributions.