[LegibleCrimson]

The problems with curl-bash are overblown. You are pretty much exactly as vulnerable running pip install, npm install, or cargo install.

Not that curl bash is great, but it's not uniquely horrible when the goal is to run some unvetted code on your machine.

If you care about security, you have to either vet the code or trust the source. When you install through your package manager, you're trusting the maintainers. When you install from curl bash, a random website, or any unvetted software source, you are electing to trust the developers or site directly.

[saurik]

The big difference with curl|bash is that the download itself gets to execute in the context of the computer as it is downloading, which is a super power that makes it much easier to hide behaviors as you can make it extremely difficult for people to ever be able to just download a dead copy of the script to analyze it for malware.

[mixmastamyk]

Packages on those systems do get blocked at times. So no, not as risky.