Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Releases, code should be digitally signed #3480
Having no way to verify a binary as being official via a cryptographic signature (e.g. GPG) and then having instructions for users to install by using sudo, curl altogether blindly is a blatant disregard for best practices for software distribution.
At minimum, please start signing release binaries. No way can I or many others pull in docker-compose from a random URI (HTTPS or not) without some way of verifying who built the binary in the first place.