Rust is language developed for developing (memory safe) and secure software. The compiler does rigorous checking during compile time that the user doesn’t fuck things up and provides great feedback what is wrong. However, the default installation method of the Rust compiler advertised is curl | sh. In general curl | sh seems to raise again and combining with other questionable “best practices” it seems like we are going to see something like the 90s Windows shareware pest on Linux as well (more posts on this topic will follow).
Why is it particually bad with Rust? Well, if you advertise memory and thread safety, which implies reliability and security, then you shouldn’t advertise an unsecure installation process. But it is worse. They describe this as:
The installation described above, via rustup, is the preferred way to install Rust for most developers.
WTF? This imediately raises the question how secure code is that is provided via the Rust build system (cargo/crates.io). If you follow a link to other installation methods, you’ll find that they are aware of this:
Validating signatures. Although rustup performs its downloads over HTTPS, the only way to verify the signatures of Rust installers today is to do so manually with the standalone installers.
There are good reasons for running generic builds and not what a distribution provides (e.g. outdated packages on RHEL/CentOS or Debian). Julia seems to solve this problem in a more sane way. Binaries for various OS with signatures and checksums - it is that easy!
Using curl | sh in a separate VM or on an old computer for pure test purposes is one thing, but recommending this for production is another. The only explanation I could find is that they aim at web developers with WASM, and this is a group of people just installing all crap available.
ps: unsecure or insecure. I choose the word unsecure on purpose so no one could get the idea that Rust suffers from some mental illness;)