> I ask the members of the list to point to a software project that is > doing this
Any software project that is telling the user to install the software using the package manager of their distribution. Pretty much all package managers verify signatures and they are really convenient for the user, even more convenient than the curl | sh method since the user doesn't have to go to the project's website to find out what exactly they are supposed to curl and what are they supposed to pipe it to and as which user it should be done as. > (providing secure and easy installation) Security is a trade-off with convenience. You have to sacrifice a bit of one to get the other. Giving user the steps to verify the script is a very small hit on the usability and convenience but very significant increase for security. > This is not a rhetorical question meant to point out that no project > does this well. I really just don't know of one. Anything that tells the user to just install their software with a package manager is doing it. So, pip, cpan etc. are all better than you in this regard. _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
