1) the usual `curl` or `wget` to fetch the binary and the lib(s) and all the work of validating and putting them in place and the like and _then_ you can use a systemd/.service file to set up controls for the bin
2) podman pull and then either ask podman to make a .service file for you or write your own
because only one of the two approaches has solved the package/distribution issue, containers are _not_ "less relevant given that systemd can twiddle the same isolation bits"
What "validating" does docker/podman pull do that is in excess of a curl of a file?
One of the advantages of a real package manager is that it checks signatures on the content that is downloaded. The supply chain on a linux distro's package repos is much harder to break into than typosquatting into a docker registry somewhere.
> What "validating" does docker/podman pull do that is in excess of a curl of a file?
Every single thing has a sha hash so verifying that I actually downloaded what I meant to download is easy. This gets tedious if I have to `curl https://github.com/someUser/someProject/release/latest.tar.g...` and also get the `tar.gz.sha256` file (if they even publish one ...).
Curl supports resuming a partial file (assuming the sending server also does) but it can't "know" ahead of time that the first 1/3 of the file I am downloading has already been fetched because it's also used by $someOtherArtifact.
> One of the advantages of a real package manager is that it checks signatures on the content that is downloaded.
So does docker/podman.
> The supply chain on a linux distro's package repos is much harder to break into than typosquatting into a docker registry somewhere.
Perhaps. For every "secure" package repo, I'll show you a much more up-to-date package in AUR/Nix.
That was my point, basically.
You have two options:
1) the usual `curl` or `wget` to fetch the binary and the lib(s) and all the work of validating and putting them in place and the like and _then_ you can use a systemd/.service file to set up controls for the bin
2) podman pull and then either ask podman to make a .service file for you or write your own
because only one of the two approaches has solved the package/distribution issue, containers are _not_ "less relevant given that systemd can twiddle the same isolation bits"