[emulio]

A package (like a .deb) is a static artifact. It can be hashed, mirrored, and GPG-signed. Package managers usually verify that signature before any pre/post-install scripts. A "curl <some_url> | bash" pipe is a dynamic stream; the server can perform targeted attacks: sending a clean script to 99% of users and a malicious payload only to a specific IP address or User-Agent. This allows for targeted attacks that are invisible to the rest of the community.

Yes, running third-party code is always a leap of faith, but why choose a delivery method that removes the possibility of verification and opens the door to targeted injections? Convenience shouldn't be an excuse to ignore basic security hygiene.

[Chu4eeno]

The problem is that npm, cargo, etc. set the standard in people's minds for how package managers work, when the Linux community has been working on securing the supply chain issues for decades.

Like requiring a WoT (usually with physical meetups) vetting people creating packages, FTP-masters, dedicated clean buildbots, etc. in addition to the packages themselves being signed and so on.