This means you’re completely ignoring all the security issues curl | bash has and your issues with it are unrelated to what I’m trying to solve. We’re talking about different things here.

Urinary Tract Infection test? Just guessing.

I get all that. What I don’t get is what are you proposing.

For me it’s obvious that developers will keep providing bash installers and users will keep running them. Everyone knows it’s bad. I see comments about how bad piping scripts from curl to bash is daily yet it’s still being done everywhere. What I described is a good compromise: dev can keep using bash but users get some security. Your solution is to keep complaining about it without doing anything to improve security.

Or course proper packages are better. Simply knowing this is not fixing anything.

Nice but it’s a completely different thing serving completely different purpose.

Well, they are doing it. And they are not using package managers because clearly they don’t meet their needs. So we can either give up and keep doing it with 0 security or add some security to it. I don’t understand why you treat it as all or nothing problem. It’s clearly not. We can’t have the perfect solution but we can improve on the current one.

1. You’re talking about difficulty packaging something not adding something to a distro. Standard installations of Ubuntu, Debian, Fedora, Mint and so on include hundreds of packages. Yes, minimal Arch docker image may be a different story but I think the main distros would accept a tiny package that solves security issues. Of course I don’t know that but I think it would be worth trying. No one is trying to substitute package manager. It’s just a way to make bash installers more secure.

2. I didn’t say that MD5 is enough. I’m saying that it’s something tarball providers do to offer a slimmer of security. Because it’s well understood that downloading unsigned archive from a webpage is not a secure method of distribution. Bash scripts offer even less security. What I’m describing is a secure method of distributing such scripts.

I would say package manager generally has the ability to track version and uninstall packages. That’s why I don’t consider bash scripts a package manager.

I said that the tool would have to be installed by default on the main distros. I would be a single binary and a man page. I don’t think it would be very difficult to get it included.

As I explained in another comment I’m not worried about malice of the developer but of a hacker. Bash scripts are not signed in any way, are not verified by anything client side, are not versioned. There’s 0 security. Even tarballs are usually provided with MD5 checksum that you can verify client side. With bash there’s nothing. Central repository would provide a lot. Yes, there could still be bugs in bash but at least you know you’re downloading reviewed, approved, statically checked script that was previously downloaded by 10k people.

And generally what you are describing is a software repo, you know the one that comes with your distro.

It’s not. It’s a generic, terminal based installer. Lot’s of project use them exactly because they don’t want to use software repos provided by distros. Personally I think they should but it’s very very common that they don’t.

If you trust the software then why not trust the installation scripts

I can trust for example rustup but how can I be sure someone didn’t hack and defaced their website? You go to a website and see curl --proto '=https' --tlsv1.2 -sSf https://sh-rustup.rs/ | sh. Can you say if that’s valid? Because it’s not. I changed it. grunt rustup is much easier to verify and it would offer additional checks I described.

So it will protect you from webpage attacks but you also don’t know how the script uploaded to sh.rustup.rs was verified. Maybe the server was hacked and the script was changed? Are you going to check the MD5 manually. You should but will you do it? Maybe rustup team has weak internal security and someone changed this script without proper review process? Central repo would ensure that review was fallowed.

And finally, sometimes you don’t really know if you can trust the project. Right now you can just take your chance or not install it at all. With central repo you can at least get some stats and you can do some static analysis server side. In the worst case that you will execute something malicious you can report it and it will be removed. Right now there’s nothing you can do about malicious install script.

The problem with a central script repository is that bash scripts are difficult to audit,

But all the website already use bash scripts. If we cannot stop using bash scripts (and it looks like we can’t) then let’s do it in a more secure way. Bash scripts provided by individual pages are impossible to audit. Bash scripts in a central repo will be possible to audit even if it will be hard.

So in my opinion, a package manager based on bash

It’s not a package manager based on bash. It’s secure way to distribute bash scripts that are already being distributed in a insecure way.

Just ask ChatGPT how to fix it.

Finally. Problem solved.

They really could stop with the chickenshit phrasing.

“Trump wants to increase pollution and traffic in NY”.

Can I also bring a bottle of water or do they still think I’m going to mix a bomb in the toilet?

I mean it sure takes some time for the news to get from America to Europe. Probably like a day or two, right?

Small models can only handle limited set of tasks. To cover a lot of different tasks you would need a lot of small models. What DeepSeek did was build a lot of small models with each acting as an expert on one topic (more or less). It’s more energy efficient to train but not necessarily to run as you have to chain a lot of small models to get good results.

What do people use LLM for? Asking questions you would normally ask Google. Google sucks now so it’s easier to ask ChatGPT. You can also use it for simple tasks like checking text for grammar errors, writing emails and so on.

1. It’s not like the companies train one model and they use it for months until they need new version. They train new models all the time to update them and test new ideas.
2. They don’t use small models. Typical LLMs offered by ChatGPT or Claude are the big ones
3. They process thousands of queries per second so their GPUs are maxed out all the time, not just for few seconds.

Yes.

The per viewer cost saving must be fractions of a penny.

Why wouldn’t you save a fraction of a penny if you could? Out of compassion for a fellow human? That’s insane.

Actually it’s about charging people extra as often as you can.