A package (like a .deb) is a static artifact. It can be hashed, mirrored, and GPG-signed. Package managers usually verify that signature before any pre/post-install scripts. A "curl <some_url> | bash" pipe is a dynamic stream; the server can perform targeted attacks: sending a clean script to 99% of users and a malicious payload only to a specific IP address or User-Agent. This allows for targeted attacks that are invisible to the rest of the community.
Yes, running third-party code is always a leap of faith, but why choose a delivery method that removes the possibility of verification and opens the door to targeted injections? Convenience shouldn't be an excuse to ignore basic security hygiene.
This is usually a PoC (Proof of concept) way to install something on a temporary container or temporary VM, but not for production use during daily desktop operation.
I was hoping their documentation would provide better installation instructions. But strangely, only for Windows do they recommend "npm install -g @mimo-ai/cli," which is a much better approach to managing installed packages.
For Mac/Linux, they have the strange recommendation to use the dangerous "curl <some_url> | bash." Quote:
> (for the best experience, Mac users are strongly encouraged to use iTerm or the VSCode Terminal)
> curl -fsSL https://mimo.xiaomi.com/install | bash
This appears to be an LXC-style alternative for macOS; however, unlike native LXC on Linux, this tool relies on VMs. While Docker and Podman also utilize a VM on macOS, they offer the advantage of the Docker Compose format. In my view, the ability to use YAML for declarative configuration is the most critical feature for any container tool. I have nothing against CLI tools in general, but I prefer avoiding repetitive manual commands that could be easily automated via Docker Compose or Kubernetes manifests.
Honestly, I'm reacting a bit against the "YOLO" install culture common on Windows and macOS – just double-clicking and hoping for the best. I specifically use CachyOS, an Arch-based Linux distribution, because it emphasizes a more deliberate, package-managed approach. I prefer relying on the maintainers' work and pre-defined steps within packages whenever possible. It allows me to understand what is being installed and how it's being configured, rather than an all-in-one script potentially making changes I didn't anticipate.
That's a nice idea, but I'm hesitant to use automatic installation scripts like this, even if I review them carefully. I prefer manual steps – downloading the file, placing it in the correct directory. Also, I use custom profile directories for my web browsers, so this script wouldn't apply to my setup.
Yes, running third-party code is always a leap of faith, but why choose a delivery method that removes the possibility of verification and opens the door to targeted injections? Convenience shouldn't be an excuse to ignore basic security hygiene.