[hprotagonist]

  curl ... | bash 

is the moral equivalent of

  {npm, pip, nuget, ...} install

and i really don't understand the folderol around that. In both cases, you can alter the command slightly to instead download the payload without executing it and inspect it first, if you wish. In both cases, you're ultimately going to either audit and then execute or just execute code from Somewhere Else.

This is true for distro package managers too, though you could argue that sometimes but not always (ppas, community/, whatever) a distro package manager is an extra layer of insulation between you and nasty stuff.

[Cyberdog]

This is kind of my take on it. As gross as I find pipe-to-shell installers to be instinctually, I can't really think of any objections I have about them which don't apply to just grabbing a package from MacPorts, save for one: MacPorts gives me a unified interface for listing and uninstalling that software after it's installed that I don't get from ad hoc installers. But in terms of the common complaints like security, it's pretty much the same - it's not like I'm auditing the source or patches of all the software I'm installing via MacPorts either.

[dllthomas]

If curl dies early, bash might be executing a truncated script. Arbitrarily truncated bash scripts are often valid bash scripts that do things you don't want.

[nhooyr]

You can trivially sidestep this with a main shell function called at the end of your script. https://github.com/terrastruct/d2/blob/729b12685af79bbdaf4b3...

[dllthomas]

Kinda! The author of the script can trivially avoid the problem. The person pasting "curl ... | bash" into their terminal needs to rely on them having done so, which (last I looked) they too often haven't.