I spent weeks explaining to junior devs to not do that on production servers. I thought it was obvious, but apparently it isn't...

I'm not validating it as a good practice, but that seems to be the main reason and I've not heard of Pow or Homebrew causing any problems in this regard.. yet ;-)

There's a reason I don't install things that don't use apt.

There is a manual installation process provided on the front page; Yeoman itself appears to be a Node.js module in the node package manager npm.

Try this to see a proof of concept:

$echo "echo test" | bash

Getting people used to that is a bad idea.

Download package

md5 package

verify md5 == published md5 of packge

extract

make install / install.sh / etc

With "curl package.github.com" | bash" the validation is missing. I don't mind the curl x | bash for my dev machine or testing/dev vms, but that is not happening on production. And if I need said software on production, I have to find a different way to install.

Maybe the solution here, assuming you trust the third party, is for them to get a signed SSL cert and provide `curl https://get.whatever.com|bash`

That's enough extra work, and unreliable enough, that the attacker might not bother. Why work so hard to sabotage the user who checks md5sums when you can just wait for a user that doesn't? Just because thieves can carry lockpicks doesn't mean that you shouldn't bother locking your car: Protection against lazy, opportunistic thieves is still better than nothing.

The other advantage of the MD5 plan is that you can download the MD5 from a different site than the script, at a different time and over a different internet connection (or, perhaps, over https). A specific, important version of that use case is: If you're installing the script over and over again in an automated fashion, you can download its MD5 in advance, cache it, and then check it against every future download of the script to verify that the script hasn't changed. When the script gets updated and the MD5 legitimately changes, you audit the diff and then update your copy of the MD5 for the future.

Meanwhile, using curl-over-HTTPS seems like it couldn't hurt, but better make sure 'curl' is really checking the cert and aborting on cert mismatch, because tools can be very sloppy about this. Also, you're still trusting the third party site, and once their site gets hacked it's game over… unless you have another canonical source for the MD5 sum.

One ultimately realizes why real packaging systems have signed packages, with private keys assigned to developers.

"Nobody's forcing you" is the weakest argument.

Just kidding.

It's not an argument at all. It's a manner of speech. To be more verbose: I can't think of a compelling reason why you would blindly type whatever instructions you see on the screen, into your terminal. Unless you were being forced.

How does Yeoman compare, and why should I switch?

I asked this in a previous submission on Grunt, in a thread that talked about Yeoman, but I never got an answer.

[1]: http://brunch.io/

EDIT: It looks like the new FAQ addresses this issue: http://yeoman.io/faq.html > "How does Yeoman differ from tools like Brunch or BBB?" and "How does Yeoman differ from Grunt?". Post left up for other users who are wondering how this compares to Grunt or Brunch.

However, the answer seems a little... underwhelming. Apparently it's "we've made making your own scaffolds easier". Are there any other, unmentioned benefits?

EDIT2: Partial updates as I discover this myself (hope that's okay): one huge advantage is how it uses Bower beneath the surface. No more manual AngularJS/JQuery/other dep upgrading!!

https://github.com/brunch/brunch/issues/408

Bower support is coming to brunch in the next release.

    Yeoman is a robust and opinionated set of
    tools, libraries, and a workflow that can
    help developers quickly build beautiful,
    compelling web apps.

It has many capabilities useful to the modern web dev workflow.

Of most note to me, it acts as a "project creation" tool. AKA "A Scaffolding generator."

It will pull things like HTML5 Boilerplate, jQuery, Backbone.js, etc down from github, and properly generate the project files you need to start a project with those dependencies.

You dont have to worry about how any of it fits together, it will get you up and running with the latest version of everything with a simple commandline.

It also does things like minify css and javascript, as well as compiling LESS/SASS and Coffeescript.

They are unfortunately trying to make a single tool that solves many problems, when they might be better served by making many tools, that are all good at 1 thing each... I'm still waiting for them to launch this so I can see how that all pans out.

"You don't have to worry about how any of it fits together..." That doesn't seem like an advantage.

If someone is churning out websites right and left I could see this being a more interesting tool, as it seems to be more powerful that any "boilerplate generation" scripts I would write myself.

The pain point of managing dependencies is indeed non-trivial in my experience, so I will keep an open mind for tools that look to solve this.

Random stream-of-consciousness idea: I create a new directory, and in it a text file containing the following on separate lines: "jQuery html5boilerplate AngularJS". I then run a build command to pull all these resources together in a sane way. This would allow me the fine-grained control I prefer, help ease the tedium of fetching dependencies, and obviate the need for a stream of "yes/no" questions at the terminal. This functionality may exist already, and it seems like it could be built by leveraging the logic being Yeoman, but with a different "UI".

Food for thought!

http://get.yeoman.io

    $ uname
    Linux

Besides, it _assumes you're on a Mac_ if none of these three programs are found.

I'm not brave enough to actually run the script and check, though.

http://www.adobe.com/devnet/html5/articles/yeoman-at-your-se...

I really want Yeoman to take off, in particular because I really want one of these tools to become the breakout hit. I'd rather everyone be focusing on improving one tool instead of all this effort going diffuse across a bunch of different solutions. I'm a python dev, and I thank the stars that pip became so standard. (Not that this is a direct analog to pip, but pip provides a subset of this functionality when it comes to packaging.)

One note: the Ember init is waaaay basic. I know that these are going to be community maintained, but I would have hoped that the Ember generator bundled with this initial release would have included at least commonjs or requirejs integration.

[1]http://www.brunch.io [2]https://github.com/tbranyen/backbone-boilerplate

I think its a great idea!

*edit Actually just noticed that it IS an npm package that can be installed using `npm install yeoman´

https://github.com/sym3tri/pith

  if [ "$COMPASS" -eq 0 ]; then
    echo ""
    echo "Install hiccup: no compass"
    echo "Sorry chap, compass wasn't setup because there was a problem with your ruby setup. You can check the documentation here for help: [link to documentation]."
  fi

Very nice install script by the way, you clearly had a lot of fun making it.

EDIT – totally missed that this in fact uses Bower for the package managment, so probably couldn't even launch until that was released.

It is written by the same guy who wrote require.js. It probably needs better documentation, but it will be improved over time.

This reminds me how much we need a global package manager, for most of the open source languages. Why would each framework need it's own way of handling dependencies.

But why not just fork the repo on Github (or onto your own infrastructure) and run the script from there, where you can verify any tampering?