Getting it out of a repository wouldn't make any more vetting appear as if by magic.
And if you're facing an attacker sophisticated enough to send different contents to a browser and to curl, then you're probably not going to find their backdoor in the first place. And it would be stupid of them to depend on that trick, so this becomes an extremely niche case not worth worrying about.
And multiply that sophistication by a hundred times because this is on github servers.
The "what if the file is truncated" issue is the only realistic one, and competent installers like this one define functions and don't run them until the last line.
> Getting it out of a repository wouldn't make any more vetting appear as if by magic.
But it makes it way easier to figure out what happened if you do get attacked.
With "curl | sh" if a compromised site only sends the attack code randomly and I get unlucky I won't have a copy of the attack code afterwards. If I go to the site to grab a copy I'll probably get a copy without the attack code.
With "curl > /tmp/foo.$$; sh < /tmp/foo.$$" if I am unlucky and get the attack code I can at least look at /tmp/foo.$$ to see what happened, and download the code again and see if it is the same.
If you insist on piping, at least do "curl | tee /tmp/foo.$$ | sh".
But honestly it doesn't take a lot of sophistication to hide an exploit somewhere in an entire piece of software. The average person is very vulnerable to a malicious dev and the way they download is very unlikely to matter as long as it's not http://
And if you're facing an attacker sophisticated enough to send different contents to a browser and to curl, then you're probably not going to find their backdoor in the first place. And it would be stupid of them to depend on that trick, so this becomes an extremely niche case not worth worrying about.
And multiply that sophistication by a hundred times because this is on github servers.
The "what if the file is truncated" issue is the only realistic one, and competent installers like this one define functions and don't run them until the last line.