[spookylukey]

One issue they don't address is one of culture:

curl|bash is much less secure, in general, than using your package manager (since not everyone will serve downloads over HTTPS, and won't take the steps described in the article etc.). By encouraging it, they are making this method normal, when it shouldn't become normal.

[raesene4]

One important distinction to make is that this very much depends on what package manager you're talking about.

Linux package managers tend to use signing and other mechanisms to check content.

Software library package managers (e.g. npm, rubygems, etc) generally don't. Some of them offer signing but almost no packages are actually signed, and they don't do any curation of content.

[rkrzr]

They also gloss over the fact that packages in package managers are usually vetted by the maintainers which often have additional safety measures in place like e.g. repeatable builds to insure that they are not compromised.