curl|bash isn't insecure compared to downloading an installer program over https and running it.
It's just stupid from a reproducibility point of view: the concept that I have some program P which I can run two or more times, such that it's the same object P on each run.
Suppose curl|bash fails somehow and you need to debug it. If you try curl|bash again, it could be fetching a different script.
Of course, there are ways to fix it, like a versioned URL that points to an immutable script. You have to trust that it is immutable though.
A malicious rogue employee who works for the trusted domain could temporarily replace the script with something harmful. Bad things happen to some users, who have no trace of what was executed. The rogue restores the original script and so when that is re-fetched and examined, it looks clean.
None of the affected user saved a copy; they all ran 'curl|bash' and so there is no evidence.
This is really what people don't like; they are just not about to put a finger on it and articulate it properly: the transience of the executable program. When bash terminates for any reason, the program is lost forever. What was actually run? And does that program exist any more, or did the termination of bash just throw away the world's last copy of that version of the script?
In other words, maybe what you want is rather this:
That's not true. Curl doesn't use HSTS, whereas a browser does. Installer packages are signed, as well, so there's at least two ways in which downloading a proper installer from a browser is more secure.
It's just stupid from a reproducibility point of view: the concept that I have some program P which I can run two or more times, such that it's the same object P on each run.
Suppose curl|bash fails somehow and you need to debug it. If you try curl|bash again, it could be fetching a different script.
Of course, there are ways to fix it, like a versioned URL that points to an immutable script. You have to trust that it is immutable though.
A malicious rogue employee who works for the trusted domain could temporarily replace the script with something harmful. Bad things happen to some users, who have no trace of what was executed. The rogue restores the original script and so when that is re-fetched and examined, it looks clean.
None of the affected user saved a copy; they all ran 'curl|bash' and so there is no evidence.
This is really what people don't like; they are just not about to put a finger on it and articulate it properly: the transience of the executable program. When bash terminates for any reason, the program is lost forever. What was actually run? And does that program exist any more, or did the termination of bash just throw away the world's last copy of that version of the script?
In other words, maybe what you want is rather this:
:)