Not using a 'pipe this shell script from this website' installer

[superian]

I know the various Linux distros have at least three popular package formats between them, but suggesting that people pipe a shell script downloaded from a website into bash and let it do whatever it wants feels... dirty.

At the very least, it should have a 'think carefully about whether or not you trust us before doing this' warning.

[abose]

Script-based installation is a common convention followed by many of our peers, including Zed, Bun, and others. While we understand concerns about security, adding a warning to a first-party script doesn’t meaningfully enhance security posture. Even if we distributed an executable, it would ultimately still require execution by the user, presenting the same level of trust consideration.

That said, we encourage users to review the script before running it. The Read Script button on website allows you to inspect the installation process before executing it. If you're uncertain, you can also ask ChatGPT or another tool to analyze the script for you. Transparency and security are important, and we want to ensure users have the confidence to verify what they're installing.

Nb: response refined with AI.

[abose]

BTW, Forgot to mention, we are already tracking alternate distributions at https://github.com/phcode-dev/phoenix-desktop/issues/559 . We may distribute app images in the future.

Thanks for the feedback!