[geofft]

What's wrong with it?

If you're claiming that you don't get the ability to audit the code, I'd like to watch you audit a ./configure shell script generated by GNU autoconf.

If you're claiming that you want to apt-get install so the package maintainer has audited the code, I'd like to watch them audit the ./configure shell script.

Downloading and auditing code from an untrusted source is security theatre. Don't install it at all, if you don't trust it. Or use some platform (the web, iOS, Android, Qubes, etc.) that makes it such that there's no need to audit it because the app is restricted in what it can do.

[broknbottle]

if the connection closes mid stream it could potentially run something catastrophic (rm -rf /) as sh will execute the partial command in its buffer.

[geofft]

Yes. Wrap the entire script in a function and call the function at the end once the whole thing has transferred. https://install.sandstorm.io/ , for instance, does this.

[koolba]

At least wrap the dang thing in a function and execute the function. That way you don't get partial execution if the HTTP connection manages to die halfway through.