About install.python-poetry.org

[dAnjou]

• I have searched the issues of this repo and believe that this is not a duplicate.
• I have searched the documentation and believe that my question is not covered.

Issue

I think installing a pretty critical piece of build tooling like a dependency manager from an arbitrary URL doesn't feel very safe, and it's not very CI friendly where you mostly want reproducible, deterministic builds. With https://install.python-poetry.org/ it's not really obvious who's in control of it and how the install script gets deployed there (not to mention that there are placed which have a whitelist of trusted sources which might not include install.python-poetry.org).

IMO, it'd be nicer to have the install script in the repo and simply use its raw link.

What's the motivation and benefit of https://install.python-poetry.org/ if I may ask?

[neersighted]

The raw link to the install script is at https://raw.githubusercontent.com/python-poetry/install.python-poetry.org/main/install-poetry.py if you would like to ensure you are downloading from the Github repo.

The website is controlled by the Poetry project, just like this Github repo/org/PyPi package, and it is deployed using Vercel in a process that is part of the source repository of the install script (https://github.com/python-poetry/install.python-poetry.org/blob/main/vercel.json).

That being said, it is no more or less secure than https://install.python-poetry.org, which intended to provide an easy-to-remember and easy-to-type source for the installer script.

If you are worried about security, please download the script to your CI setup, and run it from your local copy. Only update it after having a manual review by a human, diffing your copy against upstream.

[neersighted]

I've moved this to a discussion for any follow-up, since technical issues with the installer should go to the installer repo, and other discussions about the security/best practice concerns are more properly had as discussions.