[Cthulhu_]

The request itself won't be tampered with, but what if the host was? That endpoint could be compromised and send you a different script.

They should offer a download with signature validation instead. Signed by Apple, Microsoft, etc if possible.

[maccard]

If you're afraid the host may be untrusted then you would be wrong to download any of their code at all.

The safety is in reviewing the code there, not in avoiding curl | bash. Running pip install or npm install is just as dangerous.

> They should offer a download with signature validation instead. Signed by Apple, Microsoft, etc if possible.

If the host is compromised, the attacker will just get Microsoft to sign their malware instead; see [0]. If the host is compromised, and you run the code without reviwing it, you're hosed regardless.

[0] https://arstechnica.com/gadgets/2021/06/microsoft-digitally-...

[dragonwriter]

> The request itself won't be tampered with, but what if the host was?

What if your distro package repository was?