I agree that curl | bash feels bad, but there are several meaningful reasons why I don’t find it to be actually abhorrent:
- You’ve already got to put a lot of trust into
*.julialang.organd your https connection to it. If you don’t trust that, then you shouldn’t be running the executables from there either — a shell script somehow feels sketchier but is fundamentally no different than manually downloading and running Julia itself. - Julia doesn’t need admin permissions, and it’s not run with sudo
- The thing it installs is very self-contained, as are the julias it manages
If adding those extra https flags to curl provide a meaningful benefit, we should copy that improvement. I bet that was added after we “forked” those idioms from rustup.
The biggest thing I don’t like about curl | bash is that it normalizes running code from potentially arbitrary websites, and while that’s no different from downloading and running an executable, I think there are some folks who have the “don’t run untrusted .exes” more firmly lodged in their heads than “don’t copy-paste-run this code.” In fact, pasting code into the command prompt is a common scammer technique for malware injection — probably for this very reason.
It’s also true that the distro packaging landscape is very different these days. They’re much more amenable to *up-style packages and less demanding about the sorts of bug-prone dynamic linking that plagued packaged Julias of the bygone era.
All that to say: yes. It’s be great to distribute juliaup through official platform channels if someone can undertake that work and make it happen in a robust manner. In the meantime, this works.