[ajross]

What matters is that it's a terrible hack. Even ignoring the security concerns with "install this completely untrusted code from the internet": there's no way to cleanly recover/uninstall if something breaks; there's no way to tell what version you have (not even in theory, as this clones HEAD!).

Most importantly, there's no chain of authority here. In the Linux world, for example, your packages generally come from the distro and are signed. Down a layer, they might come from a third party repo (rpmfusion, say), which is still a large organization with high visibility and good auditing. Down farther still, there are tools like Launchpad or openSUSE's OBS which allow you to build installable pacakges of your own, but these are still distributed out of a managed infrastructure and your identity is reasonably tracked. Finally at the bottom are the people ("developers") who like to pull raw source code and compile it. These people are expected to be communicating as part of a project, so they can be warned about compatibility goofs or (goodness forbid) the occasional malware incident.

This "pull and install automatically" gives you the ease of use of the top level, but an even weaker promise of authority than even the bottom level. That's a bad thing.