Using a fixed-name directory in /tmp creates a potential security problem. Might be better to use $XDG_RUNTIME_DIR on Linux.

@edolstra What kind of security problem do you have in mind? It seems to me that the worst case would be where an attacker overwrites the install script in the unpacked release directory with an arbitrary executable.

$XDG_RUNTIME_DIR would avoid that threat, but is it present (and not set to something insecure like /tmp) on all platforms?

Using mkdir as stated in http://www.linuxsecurity.com/content/view/115462/151/ would work, but it seems rather difficult to make sure the release directory was created by the current user in the case where the release directory already exists.

How about copying the tarball to a secure directory (i.e. one created by mktemp -d) before computing the SHA and extracting? I made that change and pushed it as a commit to this PR.

[triage]

This is now part of the nix repository.

The PR would need to be re-done there.

And yes, as of today, the script still cleans up after itself.