Would you bet you live on the assumptionthat there is no way a network problem could truncate the script into something, that does something unintended but harmful?
That problem is easily avoided by wrapping the whole script in a function and then calling it on the last line.
It looks like Patchwork's script doesn't quite do that, but it does put _most_ of its functionality into functions, and AFAICT there is no particular place in the script where a connection loss could lead to anything bad happening. Admittedly this appears to be a lucky accident rather than following best practice.
Yeah telling us to blindly run a shell script is...a quirky design choice. At least it doesn't tell you to run it with sudo like I've seen some other ones do, and the shell script itself is sanely commented.
If the script source is on github and isn't run under sudo, is there a meaningful difference between curl | sh and apt-get install from a PPA, gem/pip install, etc?
Meaningful? In most cases no, but since we're already talking about security, curl'ing the shell script from github exposes you to another attack vector, like MITM'ing the script.
Looked at the site and read the comments which made me think about the HN post yesterday about hiding vulnerabilities in plain site (https://news.ycombinator.com/item?id=10889721). Like your idea though.
[1] https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-p...
He addresses code signing and mitm and connection interruptions.
Edit: The gist of it is no, it's not more insecure than other software distribution methods.