Where? I couldn't find the file quickly (and from my phone) on either the stroom or the stroom-resources repo.

And when you find it, you still have to perform independent verification that the file on GitHub is the same one you are downloading through curl.

You are treating their installation instructions as equivalent to "clone this repo and run this script inside the repo" when they actually are not.

> Where?

It's just whatever the github.com servers choose to serve you. Isn't that the point? If you trust what they serve you then it's safe to run, and if you don't then it isn't. Which is exactly the same situation as the software itself in the main repo isn't it?

How is curling and running a script any different to cloning it and running it?

Are you thinking that the fact that the repo has a commit hash saves you? What are you verifying the commit hash against? What you see on the website? The website also served by github.com? And how do you know the commit hash isn't accurate it's just a hash of code that does indeed contain attacking code?

I'm not sure any of it makes any difference. github.com can serve you code containing attacks from either the repo or the installation script and in both vectors you're just as vulnerable.

<org-name>.github.io/<project-name> content usually goes to a separate branch in the repository, named "gh-pages" (although this is configurable): https://github.com/gchq/stroom-resources/blob/gh-pages/get_s...

Ah nice, didn't realize it was on a separate branch. Thanks.