Like a sibling comment said, at least you can be sure that updates you will download are provided by the same entity, since the repositories are signed.
each package is signed by the person who packages it. That means that if you are pulling from a random place, you can be reasonably sure its the same package because the keys verify.
As pointed out piping curl to bash is problematic. Sure you can go to a browser and check the output, but one of the more fun hacks is detecting if curl pipeing to bash server side and dynamically re-writing the script during serving.
tldr:
So long as the package keys are verifiable, you can download a packge from a random mirror and be reasonably sure that it came from who it says it did.
Curl you have no hope, and its possible to infer during execution that you are piping to bash.
>each package is signed by the person who packages it. That means that if you are pulling from a random place, you can be reasonably sure its the same package because the keys verify.
Who's downloading packages from untrusted sources but somehow have a trusted way to get the signing key? Say you want to install claude code and not use the `curl ... | bash` install method. Good thing claude provides instructions for installing via apt[1]! But what do those instructions tell you to do? It tells you to download a key from downloads.claude.ai, then add the same domain to your apt sources list. So at the end of the day, you're still trusting that downloads.claude.ai hasn't been compromised.
Packages are signed, and contain manifests to check for file conflicts and help with cleanly uninstalling. The script installer might make bad assumptions during install that a package manager would catch.